Jump to content
Reagan72

cant use task manager

Recommended Posts

There is hope for you yet. :unsure: Atleast, Your Hijackthis log isn't nearly as bad now...

Okay. Let's make absolutely sure were on the same page here. Whenever I have you delete something with hijackthis, your internet explorer browser must be closed first. Copy my instructions to notepad and use it; it's what I routinely do. It's very important, as hijackthis won't be able to remove something tied into IE if IE is open and running.

I need you to download lspfix, you can get it here http://www.cexx.org/lspfix.htm. Run it. Select the I know what I'm doing Tab, On the left side, select the file wrm32.dll and hit the add button to the right of the program. Once it appears on the right side of the program, hit finish. LSPFIX will remove this file and correct the lspchain. We can't fix that from hijackthis.

Restart your computer in safe mode again, without explorer open... Very important!

And kill the following entries with hijackthis:

O1 - Hosts: 127.0.01222.volumeplay1.com

O1 - Hosts: 127.0.0.3adlaji.cn

O1 - Hosts: 127.0.0.lwww.xxie.net

O1 - Hosts: 127.0.01www.gfrgfrsa.cn

O1 - Hosts: 202.165.102.205972.aksjd11.com

O1 - Hosts: 202.165.102.205w3og.cn

O1 - Hosts: 203.208.35.100qazc.fourtw.cn

O1 - Hosts: 203.208.35.100www.aujoy.cn

O1 - Hosts: 203.208.35.101www.hao601.cn

O1 - Hosts: 203.208.35.101www.psp476.cn

O1 - Hosts: 72.14.235.99222.1212l112.net

O1 - Hosts: 72.14.235.99444.1212l112.netn

O1 - Hosts: 72.14.235.99555.1212l112.net

O1 - Hosts: 72.14.235.99111.1212l112.net

O1 - Hosts: 65.55.21.250111.3243l24.com

O1 - Hosts: 65.55.21.250222.3243l24.com

O1 - Hosts: 65.55.21.250333.3243l24.com

O1 - Hosts: 125.64.8.112kao2.gmwo03.com

O1 - Hosts: 125.64.8.112kao.gmwo06.com

O1 - Hosts: 125.64.8.112444.gmwo07.com

O1 - Hosts: 116.252.185.15ru.update365.us

O1 - Hosts: 116.252.185.15ad.update365.us

O1 - Hosts: 207.46.232.182popmails.net

O1 - Hosts: 203.208.37.993.goodhh.com

O1 - Hosts: 220.181.37.55down.rwixr.com

O1 - Hosts: 160.79.42.52www.xdj2008.com

O1 - Hosts: 63.175.76.152www.revtr.cn

O1 - Hosts: 219.133.40.91qq.ljsll.com

O1 - Hosts: 203.208.35.102www.aassccwe.cn

O1 - Hosts: 209.132.177.50973.aksjd11.com

O1 - Hosts: 209.132.177.50974.aksjd11.com

O1 - Hosts: 209.132.177.50971.aksjd11.com

O1 - Hosts: 209.132.177.50975.aksjd11.com

O1 - Hosts: 72.14.235.104user1.12-39.net

O1 - Hosts: 72.14.235.147www.infomt.net

O1 - Hosts: 192.150.18.101ata1.sysions.net

O1 - Hosts: 192.150.18.101ata2.sysions.net

O1 - Hosts: 192.150.18.101ata3.sysions.net

O1 - Hosts: 192.150.18.101ata4.sysions.net

O1 - Hosts: 193.120.42.2268nnnnn99.cn

O1 - Hosts: 24.39.54.34www.haoaoao.cn

O2 - BHO: ThunderAdvise - {97421D0D-E07F-40DF-8F07-99597B9585AD} - C:\WINDOWS\Downloaded Program Files\ThunderAdvise.dll

O21 - SSODL: ThunderAdvise - {97421D0D-E07F-40DF-8F07-99597B9585AD} - C:\WINDOWS\Downloaded Program Files\ThunderAdvise.dll

O21 - SSODL: cliconfgzx.dll - {7A6DF30E-D0F2-446f-B4F0-BF4232D60E07} - C:\WINDOWS\System32\cliconfgzx.dll

O21 - SSODL: slbiopfs2.dll - {EB9660D8-E1CD-4ff0-B4A9-00CD907F928A} - C:\WINDOWS\System32\slbiopfs2.dll

O21 - SSODL: tscfgwmijxsj.dll - {2CB77746-8ECC-40ca-8217-10CA8BE5EFC8} - C:\WINDOWS\System32\tscfgwmijxsj.dll

O21 - SSODL: lweurqhx.dll - {71A78CD4-E470-4a18-8457-E0E0283DD507} - C:\WINDOWS\System32\lweurqhx.dll

Next I want you to restart in normal mode, update mbam and sysclean both, Scan with mbam in normal mode, save the log, I want to see it, Scan with sysclean in safe mode, I want to see it's log as well, and provide an updated hijackthis log after running both of those programs.

Remember, update the programs. :unsure:

Share this post


Link to post
Share on other sites

Hey Raid, not looking so good, it feels like everytime we take a step forward we get knocked two steps back.

MBAM:

Malwarebytes' Anti-Malware 1.28

Database version: 1147

Windows 5.1.2600 Service Pack 1

9/14/2008 4:16:45 AM

mbam-log-2008-09-14 (04-16-45).txt

Scan type: Quick Scan

Objects scanned: 48600

Time elapsed: 7 minute(s), 51 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 17

Registry Keys Infected: 20

Registry Values Infected: 27

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 30

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

C:\WINDOWS\Temp\wmsetup.dll (Trojan.Downloader) -> Delete on reboot.

C:\Documents and Settings\Owner\Local Settings\Temp\wmsetup.dll (Trojan.Downloader) -> Delete on reboot.

C:\WINDOWS\AppPatch\DesktopWin.dll (Trojan.Downloader) -> Delete on reboot.

C:\WINDOWS\Downloaded Program Files\ThunderAdvise.dll (Trojan.BHO) -> Delete on reboot.

C:\WINDOWS\sysocmgr.dll (Spyware.OnlineGames) -> Delete on reboot.

C:\WINDOWS\system32\slbiopfs2.dll (Spyware.OnlineGames) -> Delete on reboot.

C:\WINDOWS\system32\yrvyirpq.dll (Spyware.OnlineGames) -> Delete on reboot.

C:\WINDOWS\system32\mstimewd.dll (Spyware.OnlineGames) -> Delete on reboot.

C:\WINDOWS\system32\avicapwm.dll (Spyware.OnlineGames) -> Delete on reboot.

C:\WINDOWS\system32\twainyy.dll (Spyware.OnlineGames) -> Delete on reboot.

C:\WINDOWS\system32\dpvvoxmh.dll (Trojan.Agent) -> Delete on reboot.

C:\WINDOWS\system32\lweurqhx.dll (Trojan.Agent) -> Delete on reboot.

C:\WINDOWS\system32\tscfgwmijxsj.dll (Trojan.Agent) -> Delete on reboot.

C:\WINDOWS\system32\cliconfgzx.dll (Trojan.Agent) -> Delete on reboot.

C:\WINDOWS\system32\dispexcb.dll (Trojan.Agent) -> Delete on reboot.

C:\WINDOWS\system32\adsntzt.dll (Trojan.Agent) -> Delete on reboot.

C:\WINDOWS\system32\xolehlpjh.dll (Trojan.Agent) -> Delete on reboot.

Registry Keys Infected:

HKEY_CLASSES_ROOT\CLSID\{da191de0-aa86-4ed0-4b87-292a3d48be99} (Trojan.Downloader) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\thunderadvise.thunderhlpobj (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\TypeLib\{6d4c7e08-e021-414c-a42d-ab15a2302196} (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{deef6582-9927-4cbd-897c-6a1f9e8c47de} (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{97421d0d-e07f-40df-8f07-99597b9585ad} (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{97421d0d-e07f-40df-8f07-99597b9585ad} (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\thunderadvise.thunderhlpobj.1 (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{da1de019-a6a8-ed40-4b87-248b2a93de99} (Spyware.OnlineGames) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{eb9660d8-e1cd-4ff0-b4a9-00cd907f928a} (Spyware.OnlineGames) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{21be5fdf-d4cb-4850-ad99-21e68b50bf3f} (Spyware.OnlineGames) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{65056902-6e7b-4bd7-95ba-688db5fa5beb} (Spyware.OnlineGames) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{6b9fead7-4319-4312-ab05-d8c9cd255bfe} (Spyware.OnlineGames) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{434fa69c-5f0a-42e1-82b8-10af2c8e53c6} (Spyware.OnlineGames) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{2876d76c-caaa-4313-af97-8d1d9a2a1087} (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{71a78cd4-e470-4a18-8457-e0e0283dd507} (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{2cb77746-8ecc-40ca-8217-10ca8be5efc8} (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{7a6df30e-d0f2-446f-b4f0-bf4232d60e07} (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{76d44356-b494-443a-bedc-aa68de4255e6} (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{e0f3526a-4165-4589-80cd-50b6fbac3bda} (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{f0930a2f-d971-4828-8209-b7dfd266ed44} (Trojan.Agent) -> Delete on reboot.

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\thunderadvise (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\sysocmgr (Spyware.OnlineGames) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{eb9660d8-e1cd-4ff0-b4a9-00cd907f928a} (Spyware.OnlineGames) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\slbiopfs2.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{21be5fdf-d4cb-4850-ad99-21e68b50bf3f} (Spyware.OnlineGames) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\yrvyirpq.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{65056902-6e7b-4bd7-95ba-688db5fa5beb} (Spyware.OnlineGames) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\mstimewd.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{6b9fead7-4319-4312-ab05-d8c9cd255bfe} (Spyware.OnlineGames) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\avicapwm.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{434fa69c-5f0a-42e1-82b8-10af2c8e53c6} (Spyware.OnlineGames) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\twainyy.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{2876d76c-caaa-4313-af97-8d1d9a2a1087} (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\dpvvoxmh.dll (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{71a78cd4-e470-4a18-8457-e0e0283dd507} (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\lweurqhx.dll (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{2cb77746-8ecc-40ca-8217-10ca8be5efc8} (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\tscfgwmijxsj.dll (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{7a6df30e-d0f2-446f-b4f0-bf4232d60e07} (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\cliconfgzx.dll (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{76d44356-b494-443a-bedc-aa68de4255e6} (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\dispexcb.dll (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{e0f3526a-4165-4589-80cd-50b6fbac3bda} (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\adsntzt.dll (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{f0930a2f-d971-4828-8209-b7dfd266ed44} (Trojan.Agent) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\xolehlpjh.dll (Trojan.Agent) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\3PMmUpdate (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\Temp\wmsetup.dll (Trojan.Downloader) -> Delete on reboot.

C:\Documents and Settings\Owner\Local Settings\Temp\wmsetup.dll (Trojan.Downloader) -> Delete on reboot.

C:\WINDOWS\AppPatch\DesktopWin.dll (Trojan.Downloader) -> Delete on reboot.

C:\WINDOWS\Downloaded Program Files\ThunderAdvise.dll (Trojan.BHO) -> Delete on reboot.

C:\WINDOWS\sysocmgr.dll (Spyware.OnlineGames) -> Delete on reboot.

C:\WINDOWS\system32\slbiopfs2.dll (Spyware.OnlineGames) -> Delete on reboot.

C:\WINDOWS\system32\yrvyirpq.dll (Spyware.OnlineGames) -> Delete on reboot.

C:\WINDOWS\system32\mstimewd.dll (Spyware.OnlineGames) -> Delete on reboot.

C:\WINDOWS\system32\avicapwm.dll (Spyware.OnlineGames) -> Delete on reboot.

C:\WINDOWS\system32\twainyy.dll (Spyware.OnlineGames) -> Delete on reboot.

C:\WINDOWS\system32\dpvvoxmh.dll (Trojan.Agent) -> Delete on reboot.

C:\WINDOWS\system32\lweurqhx.dll (Trojan.Agent) -> Delete on reboot.

C:\WINDOWS\system32\tscfgwmijxsj.dll (Trojan.Agent) -> Delete on reboot.

C:\WINDOWS\system32\cliconfgzx.dll (Trojan.Agent) -> Delete on reboot.

C:\WINDOWS\system32\dispexcb.dll (Trojan.Agent) -> Delete on reboot.

C:\WINDOWS\system32\adsntzt.dll (Trojan.Agent) -> Delete on reboot.

C:\WINDOWS\system32\xolehlpjh.dll (Trojan.Agent) -> Delete on reboot.

C:\WINDOWS\linkinfo.dll (Trojan.Downloader) -> Delete on reboot.

C:\WINDOWS\system32\mcromv.dll (Trojan.OnlineGames) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\qxfel.dll (Trojan.OnlineGames) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\wllame.dll (Trojan.OnlineGames) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\drivers\cdralw.sys (Trojan.Alman) -> Quarantined and deleted successfully.

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\FJXZZH0W\b[1].gif (Spyware.OnLineGames) -> Quarantined and deleted successfully.

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\LCNW1P3M\28[1].gif (Spyware.OnlineGames) -> Quarantined and deleted successfully.

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\NK1ICRFT\d[1].gif (Virus.Alman) -> Quarantined and deleted successfully.

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\OO8HWOUR\update[1].gif (Spyware.OnlineGames) -> Quarantined and deleted successfully.

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\Y9ZGXCV2\update[1].gif (Spyware.OnlineGames) -> Quarantined and deleted successfully.

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\Y9ZGXCV2\abb[1].gif (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\Z9M5W29V\abb[1].gif (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\WINDOWS\Update.dll (Trojan.Agent) -> Delete on reboot.

SYSCLEAN:

/--------------------------------------------------------------\

| Trend Micro System Cleaner |

| Copyright 2006-2007, Trend Micro, Inc. |

| http://www.antivirus.com |

\--------------------------------------------------------------/

2008-09-14, 04:24:41, Auto-clean mode specified.

2008-09-14, 04:24:41, Failed to initialize Rootkit Driver.

2008-09-14, 04:24:41, Running scanner "C:\sysclean\TSC.BIN"...

2008-09-14, 04:26:12, Scanner "C:\sysclean\TSC.BIN" has finished running.

2008-09-14, 04:26:12, TSC Log:

Damage Cleanup Engine (DCE) 5.32(Build 1011)

Windows XP(Build 2600: Service Pack 1)

Start time : Sun Sep 14 2008 04:24:42

Load Damage Cleanup Template (DCT) "C:\sysclean\TMRDCT.ptn" (version ) [fail]

Load Damage Cleanup Template (DCT) "C:\sysclean\tsc.ptn" (version 978) [success]

Complete time : Sun Sep 14 2008 04:26:12

Execute pattern count(3022), Virus found count(0), Virus clean count(0), Clean failed count(0)

2008-09-14, 04:26:12, Running scanner "C:\sysclean\VSCANTM.BIN"...

2008-09-14, 06:36:14, Scanner "C:\sysclean\VSCANTM.BIN" has finished running.

2008-09-14, 06:36:14, VSCANTM Log:

2008-09-14, 06:36:14, Files Detected:

Copyright

Share this post


Link to post
Share on other sites

Your hijackthis log looks much better now, actually.

Allow mbam to restart your computer and provide me a fresh scan log after. Hopefully, we'll get you cleaned up yet. :unsure:

Share this post


Link to post
Share on other sites

Thank God Raid, I thought you were about to go off on me again :unsure: (thought i did something wrong, had me nervous) My mom just had to go on her bank account online, said it was urgent.

I will run MBAM now

Edit: and her email

Share this post


Link to post
Share on other sites

I wasnt quite sure about your instructions when you said to let MBAM restart, I did that hours ago so I ran another scan and came up with this:

Malwarebytes' Anti-Malware 1.28

Database version: 1151

Windows 5.1.2600 Service Pack 1

9/14/2008 1:40:37 PM

mbam-log-2008-09-14 (13-40-37).txt

Scan type: Quick Scan

Objects scanned: 48879

Time elapsed: 7 minute(s), 42 second(s)

Memory Processes Infected: 2

Memory Modules Infected: 0

Registry Keys Infected: 4

Registry Values Infected: 2

Registry Data Items Infected: 3

Folders Infected: 0

Files Infected: 6

Memory Processes Infected:

C:\WINDOWS\system32\dllcache\wintcps.exe (Backdoor.Vanbot) -> Failed to unload process.

C:\WINDOWS\system32\drivers\svchost.exe (Heuristics.Reserved.Word.Exploit) -> Failed to unload process.

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\microsoft windows tcp protocol (Backdoor.Vanbot) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\microsoft windows tcp protocol (Backdoor.Vanbot) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\microsoft windows tcp protocol (Backdoor.Vanbot) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{da191de0-aa86-4ed0-4b87-292a3d48be99} (Spyware.OnlineGames) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\desktopwin (Spyware.OnlineGames) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost.exe (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Heuristics.Reserved.Word.Exploit) -> Data: system32\drivers\svchost.exe -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Hijack.Shell) -> Bad: (Explorer.exe %WINDIR%\system32\drivers\svchost.exe) Good: (Explorer.exe) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\system32\dllcache\wintcps.exe (Backdoor.Vanbot) -> Delete on reboot.

C:\WINDOWS\AppPatch\DesktopWin.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully.

C:\Documents and Settings\Owner\Local Settings\Temp\wmsetup.dll (Trojan.Downloader) -> Delete on reboot.

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\Y9ZGXCV2\update[1].gif (Spyware.OnlineGames) -> Quarantined and deleted successfully.

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\Y9ZGXCV2\abb[1].gif (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\drivers\svchost.exe (Trojan.Agent) -> Delete on reboot.

I let it reboot, now task manager works-the app in C: is still there though, just not running.

Share this post


Link to post
Share on other sites

Great... Very good... Yes.. LOL

Nah man, I don't mean to go off on people, but I also don't like to waste my time. And I'm not used to relying on the user to do things I would normally just do to fix something. I lack... patience you might say. Hell, I might have even overlooked a step or two that would have saved me time, only because I'm just used to digging in and dealing with the problem. heh.

Delete that file from c:\

and have erunt make a fresh registry backup. Next, run atf-cleaner and have it clean out everything.

After that, provide me a fresh hijackthis log please.

How is your computer running now btw?

Share this post


Link to post
Share on other sites

Heh, its kewl I understand. The compuer's running fine btw, that nt authority message came up a while ago and I just restarted. Other than that, everything is ok. Except after I read you reply, i went to delete the app in c:\ and found it running in task manager. I then tried to stop it in task manager and an error message came up that said access was denied. So I restarted and ran MBAM and let it clean up. Then when it rebooted, I ran task manager and it wasnt running so I followed your directions from there and came up with this:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 4:33:14 PM, on 9/14/2008

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\HP\KBD\KBD.EXE

C:\windows\system\hpsysdrv.exe

C:\WINDOWS\wanmpsvc.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus7.hpwis.com/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus7.hpwis.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-qus7.hpwis.com/

O1 - Hosts: 127.1 localhost

O1 - Hosts: 127.1 vt0r48p760.cn

O1 - Hosts: 127.1 www.1txx.com

O1 - Hosts: 127.1 www.myovec.cn

O1 - Hosts: 127.1 po.uc-us.cn

O1 - Hosts: 127.1 219.139.83.20

O1 - Hosts: 127.1 www.msj007.cn

O1 - Hosts: 127.1 www.wyf009.cn

O1 - Hosts: 127.1 219.153.71.185

O1 - Hosts: 127.1 59.34.148.68

O1 - Hosts: 127.1 208.43.165.86

O1 - Hosts: 127.1 208.43.166.171

O1 - Hosts: 127.1 219.153.71.185

O1 - Hosts: 127.1 61.164.140.39

O1 - Hosts: 127.1 www.dsabh.cnwww.dsabh.cn

O1 - Hosts: 127.1 cwk1237.3322.org

O1 - Hosts: 127.1 www.woaigan.com

O1 - Hosts: 127.1 munchkin.marketo.net

O1 - Hosts: 127.1 post.marketo.net

O1 - Hosts: 127.1 www.mv2z.cn

O1 - Hosts: 127.1 www.91vva.cn

O1 - Hosts: 127.1 www.wq9q.cn

O1 - Hosts: 127.1 facaizhifuok.cn

O1 - Hosts: 127.1 www.wo9188.cn

O1 - Hosts: 127.1 a.woaigan.com

O1 - Hosts: 127.1 b.woaigan.com

O1 - Hosts: 127.1 xxx.usxx.info

O1 - Hosts: 127.1 alenxya.1122mb.com

O1 - Hosts: 127.1 www.972se.com

O1 - Hosts: 127.1 972se.com

O1 - Hosts: 127.1 pic.03wyt.com

O1 - Hosts: 127.1 d.03wyt.com

O1 - Hosts: 127.1 xs.03wyt.com

O1 - Hosts: 127.1 www.8jse.net

O1 - Hosts: 127.1 8jse.net

O1 - Hosts: 127.1 www.bmwtvb.cn

O1 - Hosts: 127.1 www.kcuf-09.cn

O1 - Hosts: 127.1 www.dvgdfg4650.com

O1 - Hosts: 127.1 www.kcuf-08.cn

O1 - Hosts: 127.1 www.kcuf-11.cn

O1 - Hosts: 127.1 www.kcuf-12.cn

O1 - Hosts: 127.1 1aa1aa.com

O1 - Hosts: 127.1 xx.avno3.com

O1 - Hosts: 127.1 xxx.avno5.com

O1 - Hosts: 127.1 www.avno7.com

O1 - Hosts: 127.1 avno7.com

O1 - Hosts: 127.1 ok.avno4.com

O1 - Hosts: 127.1 ok.avno5.com

O1 - Hosts: 127.1 ok.avno6.com

O1 - Hosts: 127.1 ok.avno7.com

O1 - Hosts: 127.1 ok.avno9.com

O1 - Hosts: 127.1 avno1.com

O1 - Hosts: 127.1 avno3.com

O1 - Hosts: 127.1 avno4.com

O1 - Hosts: 127.1 aikanav.com

O1 - Hosts: 127.1 link.selink.org

O1 - Hosts: 127.1 www.avno6.com

O1 - Hosts: 127.1 avno6.com

O1 - Hosts: 127.1 4.chibbs.info

O1 - Hosts: 127.1 bbs.chibbs.info

O1 - Hosts: 127.1 aa.ss99.biz

O1 - Hosts: 127.1 se.ss99.biz

O1 - Hosts: 127.1 aa.sxlk.net

O1 - Hosts: 127.1 se.sxlk99.com

O1 - Hosts: 127.1 www.88xj.net

O1 - Hosts: 127.1 88xj.net

O1 - Hosts: 127.1 www.99xj.net

O1 - Hosts: 127.1 99xj.net

O1 - Hosts: 127.1 www.91semi.com

O1 - Hosts: 127.1 91semi.com

O1 - Hosts: 127.1 haobaidu.1122mb.com

O1 - Hosts: 127.1 xiao777.za.pl

O1 - Hosts: 127.1 ccavo6.avno6.com

O1 - Hosts: 127.1 a.sxlk99.com

O1 - Hosts: 127.1 www.91vva.cn

O1 - Hosts: 127.1 www.qq08w12.cn

O1 - Hosts: 127.1 www.21xx.info

O1 - Hosts: 127.1 php-1.cn

O1 - Hosts: 127.1 www.v232.com

O1 - Hosts: 127.1 php-2.cn

O1 - Hosts: 127.1 php-3.cn

O1 - Hosts: 127.1 php-4.cn

O1 - Hosts: 127.1 php-5.cn

O1 - Hosts: 127.1 php-6.cn

O1 - Hosts: 127.1 php-7.cn

O1 - Hosts: 127.1 php-8.cn

O1 - Hosts: 127.1 php-9.cn

O1 - Hosts: 127.1 php-10.cn

O1 - Hosts: 127.1 php-11.cn

O1 - Hosts: 127.1 k.5x2x.com

O1 - Hosts: 127.1 a.5x2x.com

O1 - Hosts: 127.1 202.108.23.205

O1 - Hosts: 127.1 60.190.218.21

O1 - Hosts: 127.1 121.14.154.195

O1 - Hosts: 127.1 218.30.82.201

O1 - Hosts: 127.1 59.34.198.48

O1 - Hosts: 127.1 121.14.154.216

O1 - Hosts: 127.1 219.152.120.237

O1 - Hosts: 127.1 121.14.154.184

O1 - Hosts: 127.1 125.67.67.201

O1 - Hosts: 127.1 222.168.102.12

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\Coloreal\coloreal.exe"

O4 - HKLM\..\Run: [VTPreset] VTPreset.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [storageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r

O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"

O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE

O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe

O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded

O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE

O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe

O4 - HKLM\..\Run: [DDCActiveMenu] "C:\Program Files\WildTangent\DDC\ActiveMenu\DDCActiveMenu.exe" -boot

O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - Startup: Adobe Media Player.lnk = C:\Program Files\Adobe Media Player\Adobe Media Player.exe

O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE

O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1219522215203

O21 - SSODL: nwapi32dj.dll - {A2C3BA54-DF75-4881-8EB3-E54B26BBBBC9} - C:\WINDOWS\System32\nwapi32dj.dll

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--

End of file - 6709 bytes

Share this post


Link to post
Share on other sites

;*******************************************************************************

********************************************************************************

*

*******************

ANALYSIS: 2008-09-14 20:45:28

PROTECTIONS: 0

MALWARE: 10

SUSPECTS: 29

;*******************************************************************************

********************************************************************************

*

*******************

PROTECTIONS

Description Version Active Updated

;===============================================================================

================================================================================

=

===================

;===============================================================================

================================================================================

=

===================

MALWARE

Id Description Type Active Severity Disinfectable Disinfected Location

;===============================================================================

================================================================================

=

===================

02943497 Bck/DService.TK Virus/Trojan No 1 Yes No C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\KG4J73HE\84785_winhtb[2].exe

03074964 Trj/CI.A Virus/Trojan No 0 Yes No C:\Program Files\Image-Line\FL Studio 8\Plugins\Fruity\Generators\Toxic Biohazard\Toxic Biohazard.dll

03162704 Trj/Agent.JBH Virus/Trojan No 0 Yes No C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\KG4J73HE\update[1].gif

03162704 Trj/Agent.JBH Virus/Trojan No 0 Yes No C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\GOY3AKKJ\update[1].gif

03162704 Trj/Agent.JBH Virus/Trojan No 0 Yes No C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\KG4J73HE\update[2].gif

03162704 Trj/Agent.JBH Virus/Trojan No 0 Yes No C:\WINDOWS\Temp\QQ_Update.cab

03215283 Trj/Agent.JBH Virus/Trojan No 0 Yes No C:\WINDOWS\AppPatch\DesktopWin.dll

03215284 Trj/Agent.JBH Virus/Trojan Yes 1 Yes No C:\WINDOWS\AppPatch\AclLayer.dll

03238426 Trj/Downloader.UCP Virus/Trojan No 0 Yes No C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\0X2J4XUV\abb[2].gif

03238426 Trj/Downloader.UCP Virus/Trojan No 0 Yes No C:\Documents and Settings\Owner\Local Settings\Temp\wmsetup.dll

03238426 Trj/Downloader.UCP Virus/Trojan No 0 Yes No C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\0X2J4XUV\abb[1].gif

03238426 Trj/Downloader.UCP Virus/Trojan No 0 Yes No C:\WINDOWS\Temp\wmsetup.dll

03238426 Trj/Downloader.UCP Virus/Trojan Yes 1 Yes No C:\DOCUME~1\Owner\LOCALS~1\Temp\wmsetup.dll

03238426 Trj/Downloader.UCP Virus/Trojan No 0 Yes No C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\4RM1I1MF\abb[1].gif

03429845 Bck/Hupigon.AZG Virus/Trojan No 1 Yes No C:\Program Files\Image-Line\Toxic Biohazard\Toxic Biohazard.dll

03520282 Trj/Lineage.JOC Virus/Trojan No 1 Yes No C:\WINDOWS\system32\kandaof.dll

03625206 W32/Lineage.JSB.worm Virus/Trojan No 1 Yes No C:\WINDOWS\system32\micsus.dll

03667267 Generic Malware Virus/Trojan No 0 Yes No C:\WINDOWS\system32\cupops.dll

;===============================================================================

================================================================================

=

===================

SUSPECTS

Sent Location T\ts5

;===============================================================================

================================================================================

=

===================

No C:\hp\bin\KillIt.exe T\ts5

No C:\Program Files\TrojanHunter 5.0\THSec.dll T\ts5

No D:\MiniNT\system32\userinit.exe T\ts5

No D:\MiniNT\system32\xcopy.exe T\ts5

No D:\MiniNT\system32\attrib.exe T\ts5

No D:\MiniNT\system32\Bootini.exe T\ts5

No D:\MiniNT\system32\chkdsk.exe T\ts5

No D:\MiniNT\system32\clipsrv.exe T\ts5

No D:\MiniNT\system32\cmd.exe T\ts5

No D:\MiniNT\system32\cmd2.exe T\ts5

No D:\MiniNT\system32\DblRes.exe T\ts5

No D:\MiniNT\system32\DskPart.exe T\ts5

No D:\MiniNT\system32\Eject.exe T\ts5

No D:\MiniNT\system32\expand.exe T\ts5

No D:\MiniNT\system32\factory.exe T\ts5

No D:\MiniNT\system32\FATFMT32.EXE T\ts5

No D:\MiniNT\system32\ipconfig.exe T\ts5

No D:\MiniNT\system32\LABEL.EXE T\ts5

No D:\MiniNT\system32\locator.exe T\ts5

No D:\MiniNT\system32\net.exe T\ts5

No D:\MiniNT\system32\net1.exe T\ts5

No D:\MiniNT\system32\notepad.exe T\ts5

No D:\MiniNT\system32\PAGEFILE.EXE T\ts5

No D:\MiniNT\system32\pentnt.exe T\ts5

No D:\MiniNT\system32\ping.exe T\ts5

No D:\MiniNT\system32\RPONOFF.EXE T\ts5

No D:\MiniNT\system32\services.exe T\ts5

No D:\MiniNT\system32\setup.exe T\ts5

No D:\MiniNT\system32\spoolsv.exe T\ts5

;===============================================================================

================================================================================

=

===================

VULNERABILITIES

Id Severity Description T\ts5

;===============================================================================

================================================================================

=

===================

133387 MEDIUM MS06-065 T\ts5

133386 MEDIUM MS06-064 T\ts5

133385 MEDIUM MS06-063 T\ts5

133379 HIGH MS06-057 T\ts5

131654 HIGH MS06-055 T\ts5

129977 MEDIUM MS06-053 T\ts5

129976 MEDIUM MS06-052 T\ts5

126093 HIGH MS06-051 T\ts5

126092 MEDIUM MS06-050 T\ts5

126087 HIGH MS06-046 T\ts5

126086 MEDIUM MS06-045 T\ts5

126083 HIGH MS06-042 T\ts5

126082 HIGH MS06-041 T\ts5

126081 HIGH MS06-040 T\ts5

123421 HIGH MS06-036 T\ts5

123420 HIGH MS06-035 T\ts5

120825 MEDIUM MS06-032 T\ts5

120823 MEDIUM MS06-030 T\ts5

120818 HIGH MS06-025 T\ts5

120815 HIGH MS06-022 T\ts5

120814 HIGH MS06-021 T\ts5

117384 MEDIUM MS06-018 T\ts5

114666 HIGH MS06-015 T\ts5

114664 HIGH MS06-013 T\ts5

111790 MEDIUM MS06-011 T\ts5

108744 MEDIUM MS06-008 T\ts5

108743 MEDIUM MS06-007 T\ts5

108742 MEDIUM MS06-006 T\ts5

104567 HIGH MS06-002 T\ts5

104237 HIGH MS06-001 T\ts5

101055 HIGH MS05-054 T\ts5

96574 HIGH MS05-053 T\ts5

93396 HIGH MS05-052 T\ts5

93395 HIGH MS05-051 T\ts5

93394 HIGH MS05-050 T\ts5

93454 MEDIUM MS05-049 T\ts5

;===============================================================================

================================================================================

=

===================

GMER found nothing again

Share this post


Link to post
Share on other sites
;*******************************************************************************

********************************************************************************

*

*******************

ANALYSIS: 2008-09-14 20:45:28

PROTECTIONS: 0

MALWARE: 10

SUSPECTS: 29

;*******************************************************************************

********************************************************************************

*

*******************

PROTECTIONS

Description Version Active Updated

;===============================================================================

================================================================================

=

===================

;===============================================================================

================================================================================

=

===================

MALWARE

Id Description Type Active Severity Disinfectable Disinfected Location

;===============================================================================

================================================================================

=

===================

02943497 Bck/DService.TK Virus/Trojan No 1 Yes No C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\KG4J73HE\84785_winhtb[2].exe

03074964 Trj/CI.A Virus/Trojan No 0 Yes No C:\Program Files\Image-Line\FL Studio 8\Plugins\Fruity\Generators\Toxic Biohazard\Toxic Biohazard.dll

03162704 Trj/Agent.JBH Virus/Trojan No 0 Yes No C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\KG4J73HE\update[1].gif

03162704 Trj/Agent.JBH Virus/Trojan No 0 Yes No C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\GOY3AKKJ\update[1].gif

03162704 Trj/Agent.JBH Virus/Trojan No 0 Yes No C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\KG4J73HE\update[2].gif

03162704 Trj/Agent.JBH Virus/Trojan No 0 Yes No C:\WINDOWS\Temp\QQ_Update.cab

03215283 Trj/Agent.JBH Virus/Trojan No 0 Yes No C:\WINDOWS\AppPatch\DesktopWin.dll

03215284 Trj/Agent.JBH Virus/Trojan Yes 1 Yes No C:\WINDOWS\AppPatch\AclLayer.dll

03238426 Trj/Downloader.UCP Virus/Trojan No 0 Yes No C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\0X2J4XUV\abb[2].gif

03238426 Trj/Downloader.UCP Virus/Trojan No 0 Yes No C:\Documents and Settings\Owner\Local Settings\Temp\wmsetup.dll

03238426 Trj/Downloader.UCP Virus/Trojan No 0 Yes No C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\0X2J4XUV\abb[1].gif

03238426 Trj/Downloader.UCP Virus/Trojan No 0 Yes No C:\WINDOWS\Temp\wmsetup.dll

03238426 Trj/Downloader.UCP Virus/Trojan Yes 1 Yes No C:\DOCUME~1\Owner\LOCALS~1\Temp\wmsetup.dll

03238426 Trj/Downloader.UCP Virus/Trojan No 0 Yes No C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\4RM1I1MF\abb[1].gif

03429845 Bck/Hupigon.AZG Virus/Trojan No 1 Yes No C:\Program Files\Image-Line\Toxic Biohazard\Toxic Biohazard.dll

03520282 Trj/Lineage.JOC Virus/Trojan No 1 Yes No C:\WINDOWS\system32\kandaof.dll

03625206 W32/Lineage.JSB.worm Virus/Trojan No 1 Yes No C:\WINDOWS\system32\micsus.dll

03667267 Generic Malware Virus/Trojan No 0 Yes No C:\WINDOWS\system32\cupops.dll

;===============================================================================

================================================================================

=

===================

SUSPECTS

Sent Location T\ts5

;===============================================================================

================================================================================

=

===================

No C:\hp\bin\KillIt.exe T\ts5

No C:\Program Files\TrojanHunter 5.0\THSec.dll T\ts5

No D:\MiniNT\system32\userinit.exe T\ts5

No D:\MiniNT\system32\xcopy.exe T\ts5

No D:\MiniNT\system32\attrib.exe T\ts5

No D:\MiniNT\system32\Bootini.exe T\ts5

No D:\MiniNT\system32\chkdsk.exe T\ts5

No D:\MiniNT\system32\clipsrv.exe T\ts5

No D:\MiniNT\system32\cmd.exe T\ts5

No D:\MiniNT\system32\cmd2.exe T\ts5

No D:\MiniNT\system32\DblRes.exe T\ts5

No D:\MiniNT\system32\DskPart.exe T\ts5

No D:\MiniNT\system32\Eject.exe T\ts5

No D:\MiniNT\system32\expand.exe T\ts5

No D:\MiniNT\system32\factory.exe T\ts5

No D:\MiniNT\system32\FATFMT32.EXE T\ts5

No D:\MiniNT\system32\ipconfig.exe T\ts5

No D:\MiniNT\system32\LABEL.EXE T\ts5

No D:\MiniNT\system32\locator.exe T\ts5

No D:\MiniNT\system32\net.exe T\ts5

No D:\MiniNT\system32\net1.exe T\ts5

No D:\MiniNT\system32\notepad.exe T\ts5

No D:\MiniNT\system32\PAGEFILE.EXE T\ts5

No D:\MiniNT\system32\pentnt.exe T\ts5

No D:\MiniNT\system32\ping.exe T\ts5

No D:\MiniNT\system32\RPONOFF.EXE T\ts5

No D:\MiniNT\system32\services.exe T\ts5

No D:\MiniNT\system32\setup.exe T\ts5

No D:\MiniNT\system32\spoolsv.exe T\ts5

;===============================================================================

================================================================================

=

===================

VULNERABILITIES

Id Severity Description T\ts5

;===============================================================================

================================================================================

=

===================

133387 MEDIUM MS06-065 T\ts5

133386 MEDIUM MS06-064 T\ts5

133385 MEDIUM MS06-063 T\ts5

133379 HIGH MS06-057 T\ts5

131654 HIGH MS06-055 T\ts5

129977 MEDIUM MS06-053 T\ts5

129976 MEDIUM MS06-052 T\ts5

126093 HIGH MS06-051 T\ts5

126092 MEDIUM MS06-050 T\ts5

126087 HIGH MS06-046 T\ts5

126086 MEDIUM MS06-045 T\ts5

126083 HIGH MS06-042 T\ts5

126082 HIGH MS06-041 T\ts5

126081 HIGH MS06-040 T\ts5

123421 HIGH MS06-036 T\ts5

123420 HIGH MS06-035 T\ts5

120825 MEDIUM MS06-032 T\ts5

120823 MEDIUM MS06-030 T\ts5

120818 HIGH MS06-025 T\ts5

120815 HIGH MS06-022 T\ts5

120814 HIGH MS06-021 T\ts5

117384 MEDIUM MS06-018 T\ts5

114666 HIGH MS06-015 T\ts5

114664 HIGH MS06-013 T\ts5

111790 MEDIUM MS06-011 T\ts5

108744 MEDIUM MS06-008 T\ts5

108743 MEDIUM MS06-007 T\ts5

108742 MEDIUM MS06-006 T\ts5

104567 HIGH MS06-002 T\ts5

104237 HIGH MS06-001 T\ts5

101055 HIGH MS05-054 T\ts5

96574 HIGH MS05-053 T\ts5

93396 HIGH MS05-052 T\ts5

93395 HIGH MS05-051 T\ts5

93394 HIGH MS05-050 T\ts5

93454 MEDIUM MS05-049 T\ts5

;===============================================================================

================================================================================

=

===================

GMER found nothing again

Hmm. How is the system running now? Please provide an updated hijackthis log.

Share this post


Link to post
Share on other sites

It is running fine.

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 4:42:30 PM, on 9/17/2008

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\VERITAS Software\Update Manager\sgtray.exe

C:\HP\KBD\KBD.EXE

C:\windows\system\hpsysdrv.exe

C:\WINDOWS\System32\rundll32.exe

C:\WINDOWS\System32\explore.exe

C:\WINDOWS\wanmpsvc.exe

C:\WINDOWS\System32\wbem\wmiprvse.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus7.hpwis.com/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus7.hpwis.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-qus7.hpwis.com/

O1 - Hosts: 127.1 localhost

O1 - Hosts: 127.1 vt0r48p760.cn

O1 - Hosts: 127.1 www.1txx.com

O1 - Hosts: 127.1 www.myovec.cn

O1 - Hosts: 127.1 po.uc-us.cn

O1 - Hosts: 127.1 219.139.83.20

O1 - Hosts: 127.1 www.msj007.cn

O1 - Hosts: 127.1 www.wyf009.cn

O1 - Hosts: 127.1 219.153.71.185

O1 - Hosts: 127.1 59.34.148.68

O1 - Hosts: 127.1 208.43.165.86

O1 - Hosts: 127.1 208.43.166.171

O1 - Hosts: 127.1 219.153.71.185

O1 - Hosts: 127.1 61.164.140.39

O1 - Hosts: 127.1 www.dsabh.cnwww.dsabh.cn

O1 - Hosts: 127.1 cwk1237.3322.org

O1 - Hosts: 127.1 www.woaigan.com

O1 - Hosts: 127.1 munchkin.marketo.net

O1 - Hosts: 127.1 post.marketo.net

O1 - Hosts: 127.1 www.mv2z.cn

O1 - Hosts: 127.1 www.91vva.cn

O1 - Hosts: 127.1 www.wq9q.cn

O1 - Hosts: 127.1 facaizhifuok.cn

O1 - Hosts: 127.1 www.wo9188.cn

O1 - Hosts: 127.1 a.woaigan.com

O1 - Hosts: 127.1 b.woaigan.com

O1 - Hosts: 127.1 xxx.usxx.info

O1 - Hosts: 127.1 alenxya.1122mb.com

O1 - Hosts: 127.1 www.972se.com

O1 - Hosts: 127.1 972se.com

O1 - Hosts: 127.1 pic.03wyt.com

O1 - Hosts: 127.1 d.03wyt.com

O1 - Hosts: 127.1 xs.03wyt.com

O1 - Hosts: 127.1 www.8jse.net

O1 - Hosts: 127.1 8jse.net

O1 - Hosts: 127.1 www.bmwtvb.cn

O1 - Hosts: 127.1 www.kcuf-09.cn

O1 - Hosts: 127.1 www.dvgdfg4650.com

O1 - Hosts: 127.1 www.kcuf-08.cn

O1 - Hosts: 127.1 www.kcuf-11.cn

O1 - Hosts: 127.1 www.kcuf-12.cn

O1 - Hosts: 127.1 1aa1aa.com

O1 - Hosts: 127.1 xx.avno3.com

O1 - Hosts: 127.1 xxx.avno5.com

O1 - Hosts: 127.1 www.avno7.com

O1 - Hosts: 127.1 avno7.com

O1 - Hosts: 127.1 ok.avno4.com

O1 - Hosts: 127.1 ok.avno5.com

O1 - Hosts: 127.1 ok.avno6.com

O1 - Hosts: 127.1 ok.avno7.com

O1 - Hosts: 127.1 ok.avno9.com

O1 - Hosts: 127.1 avno1.com

O1 - Hosts: 127.1 avno3.com

O1 - Hosts: 127.1 avno4.com

O1 - Hosts: 127.1 aikanav.com

O1 - Hosts: 127.1 link.selink.org

O1 - Hosts: 127.1 www.avno6.com

O1 - Hosts: 127.1 avno6.com

O1 - Hosts: 127.1 4.chibbs.info

O1 - Hosts: 127.1 bbs.chibbs.info

O1 - Hosts: 127.1 aa.ss99.biz

O1 - Hosts: 127.1 se.ss99.biz

O1 - Hosts: 127.1 aa.sxlk.net

O1 - Hosts: 127.1 se.sxlk99.com

O1 - Hosts: 127.1 www.88xj.net

O1 - Hosts: 127.1 88xj.net

O1 - Hosts: 127.1 www.99xj.net

O1 - Hosts: 127.1 99xj.net

O1 - Hosts: 127.1 www.91semi.com

O1 - Hosts: 127.1 91semi.com

O1 - Hosts: 127.1 haobaidu.1122mb.com

O1 - Hosts: 127.1 xiao777.za.pl

O1 - Hosts: 127.1 ccavo6.avno6.com

O1 - Hosts: 127.1 a.sxlk99.com

O1 - Hosts: 127.1 www.91vva.cn

O1 - Hosts: 127.1 www.qq08w12.cn

O1 - Hosts: 127.1 www.21xx.info

O1 - Hosts: 127.1 php-1.cn

O1 - Hosts: 127.1 www.v232.com

O1 - Hosts: 127.1 php-2.cn

O1 - Hosts: 127.1 php-3.cn

O1 - Hosts: 127.1 php-4.cn

O1 - Hosts: 127.1 php-5.cn

O1 - Hosts: 127.1 php-6.cn

O1 - Hosts: 127.1 php-7.cn

O1 - Hosts: 127.1 php-8.cn

O1 - Hosts: 127.1 php-9.cn

O1 - Hosts: 127.1 php-10.cn

O1 - Hosts: 127.1 php-11.cn

O1 - Hosts: 127.1 k.5x2x.com

O1 - Hosts: 127.1 a.5x2x.com

O1 - Hosts: 127.1 202.108.23.205

O1 - Hosts: 127.1 60.190.218.21

O1 - Hosts: 127.1 121.14.154.195

O1 - Hosts: 127.1 218.30.82.201

O1 - Hosts: 127.1 59.34.198.48

O1 - Hosts: 127.1 121.14.154.216

O1 - Hosts: 127.1 219.152.120.237

O1 - Hosts: 127.1 121.14.154.184

O1 - Hosts: 127.1 125.67.67.201

O1 - Hosts: 127.1 222.168.102.12

O2 - BHO: ThunderAdvise - {97421D0D-E07F-40DF-8F07-99597B9585AD} - (no file)

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\Coloreal\coloreal.exe"

O4 - HKLM\..\Run: [VTPreset] VTPreset.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [storageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r

O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"

O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE

O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe

O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded

O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE

O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe

O4 - HKLM\..\Run: [DDCActiveMenu] "C:\Program Files\WildTangent\DDC\ActiveMenu\DDCActiveMenu.exe" -boot

O4 - HKLM\..\Run: [3PMmUpdate] rundll32 "C:\WINDOWS\Update.dll",Main

O4 - HKLM\..\Run: [HBService32] System.exe

O4 - HKLM\..\Run: [Cryptographic Service] C:\WINDOWS\System32\qsqnt.exe

O4 - HKLM\..\Run: [HBService] explore.exe

O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - Startup: Adobe Media Player.lnk = C:\Program Files\Adobe Media Player\Adobe Media Player.exe

O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE

O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1219522215203

O20 - AppInit_DLLs: aaa.dll,HBmhly.dll,HB1000Y.dll,HBWOOOL.dll,HBXY2.dll,HBJXSJ.dll,HBSO2.dll,HBFS2.

dll,HBXY3.dll,HBSHQ.dll,HBFY.dll,HBWULIN2.dll,HBW2I.dll,HBKDXY.dll,HBWORLD2.dll,

H

BASKTAO.dll,HBZHUXIAN.dll,HBWOW.dll,HBZERO.dll,HBBO.dll,HBCONQUER.dll,HBSOUL.dll

,

HBCHIBI.dll,HBDNF.dll,HBWARLORDS.dll,HBTL.dll,HBPICKCHINA.dll,HBCT.dll,HBGC.dll,

H

BHM.dll,HBHX2.dll,HBQQHX.dll,HBTW2.dll,HBQQSG.dll,HBQQFFO.dll,HBZT.dll,HBMIR2.dl

l

,HBRXJH.dll,HBYY.dll,HBMXD.dll,HBSQ.dll,HBTJ.dll,HBFHZL.dll,HBWLQX.dll,HBLYFX.dl

l

,HBR2.dll,HBCHD.dll,HBTZ.dll,HBQQXX.dll,HBWD.dll,HBZG.dll,HBPPBL.dll,HBXMJ.dll,H

B

JTLQ.dll,HBQJSJ.dll

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--

End of file - 7928 bytes

Share this post


Link to post
Share on other sites

Okay. Your still infected, but I think we are almost done. :angry:

Run MBAM, and update it. Please scan your system and provide its logfile. Also provide a fresh hijackthis log. We're almost clean now.

Share this post


Link to post
Share on other sites

Thank God,

MBAM

Malwarebytes' Anti-Malware 1.28

Database version: 1166

Windows 5.1.2600 Service Pack 1

9/17/2008 8:03:00 PM

mbam-log-2008-09-17 (20-03-00).txt

Scan type: Quick Scan

Objects scanned: 53917

Time elapsed: 9 minute(s), 23 second(s)

Memory Processes Infected: 1

Memory Modules Infected: 1

Registry Keys Infected: 6

Registry Values Infected: 4

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 30

Memory Processes Infected:

C:\WINDOWS\system32\explore.exe (Backdoor.Bot) -> Unloaded process successfully.

Memory Modules Infected:

C:\WINDOWS\system32\HBmhly.dll (Spyware.OnlineGames) -> Delete on reboot.

Registry Keys Infected:

HKEY_CLASSES_ROOT\thunderadvise.thunderhlpobj (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\thunderadvise.thunderhlpobj.1 (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{97421d0d-e07f-40df-8f07-99597b9585ad} (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\hbkernel (Rootkit.OnlineGames) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\hbkernel (Rootkit.OnlineGames) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\hbkernel (Rootkit.OnlineGames) -> Delete on reboot.

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cryptographic service (Worm.Padobot) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\3PMmUpdate (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\sysocmgr (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\DesktopWin (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\system32\qsqnt.exe (Worm.Padobot) -> Quarantined and deleted successfully.

C:\WINDOWS\sysocmgr.dll (Trojan.Small) -> Delete on reboot.

C:\WINDOWS\linkinfo.dll (Trojan.Downloader) -> Delete on reboot.

C:\WINDOWS\system32\ftpupd.exe (Worm.Padobot) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\mcromv.dll (Trojan.OnlineGames) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\qxfel.dll (Trojan.OnlineGames) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\wllame.dll (Trojan.OnlineGames) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\drivers\cdralw.sys (Trojan.Alman) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\QQ_Update.cab (Spyware.OnlineGames) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\wmsetup.dll (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\Documents and Settings\Owner\Local Settings\Temp\wmsetup.dll (Trojan.Downloader) -> Delete on reboot.

C:\Documents and Settings\David\Local Settings\Temp\wmsetup.dll (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\1L5UBF9R\1b[1].gif (Spyware.OnlineGames) -> Quarantined and deleted successfully.

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\1L5UBF9R\b[1].gif (Spyware.OnLineGames) -> Quarantined and deleted successfully.

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\4RM1I1MF\abb[1].gif (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\GHQVWPMB\23[1].gif (Spyware.OnlineGames) -> Quarantined and deleted successfully.

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\GHQVWPMB\d[1].gif (Virus.Alman) -> Quarantined and deleted successfully.

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\STUVKXMB\28[1].gif (Spyware.OnlineGames) -> Quarantined and deleted successfully.

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\W1QVSXAR\update[1].gif (Spyware.OnlineGames) -> Quarantined and deleted successfully.

C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\7K6KNQ36\abb[1].gif (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\UY2VUD1C\update[1].gif (Spyware.OnlineGames) -> Quarantined and deleted successfully.

C:\WINDOWS\AppPatch\DesktopWin.dll (Trojan.Agent) -> Delete on reboot.

C:\WINDOWS\Update.dll (Trojan.Agent) -> Delete on reboot.

C:\WINDOWS\system32\System.exe (Trojan.Agent) -> Delete on reboot.

C:\WINDOWS\system32\explore.exe (Backdoor.Bot) -> Delete on reboot.

C:\WINDOWS\system32\lweurqhx.dll (Spyware.OnlineGames) -> Delete on reboot.

C:\WINDOWS\system32\comuidsg.dll (Spyware.OnlineGames) -> Delete on reboot.

C:\WINDOWS\system32\HBmhly.dll (Spyware.OnlineGames) -> Delete on reboot.

C:\Documents and Settings\Owner\Local Settings\Temp\dat6D.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\drivers\HBKernel.sys (Rootkit.OnlineGames) -> Delete on reboot.

HIJACKTHIS

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 8:07:35 PM, on 9/17/2008

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\VERITAS Software\Update Manager\sgtray.exe

C:\HP\KBD\KBD.EXE

C:\windows\system\hpsysdrv.exe

C:\WINDOWS\wanmpsvc.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus7.hpwis.com/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus7.hpwis.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-qus7.hpwis.com/

O1 - Hosts: 127.1 localhost

O1 - Hosts: 127.1 vt0r48p760.cn

O1 - Hosts: 127.1 www.1txx.com

O1 - Hosts: 127.1 www.myovec.cn

O1 - Hosts: 127.1 po.uc-us.cn

O1 - Hosts: 127.1 219.139.83.20

O1 - Hosts: 127.1 www.msj007.cn

O1 - Hosts: 127.1 www.wyf009.cn

O1 - Hosts: 127.1 219.153.71.185

O1 - Hosts: 127.1 59.34.148.68

O1 - Hosts: 127.1 208.43.165.86

O1 - Hosts: 127.1 208.43.166.171

O1 - Hosts: 127.1 219.153.71.185

O1 - Hosts: 127.1 61.164.140.39

O1 - Hosts: 127.1 www.dsabh.cnwww.dsabh.cn

O1 - Hosts: 127.1 cwk1237.3322.org

O1 - Hosts: 127.1 www.woaigan.com

O1 - Hosts: 127.1 munchkin.marketo.net

O1 - Hosts: 127.1 post.marketo.net

O1 - Hosts: 127.1 www.mv2z.cn

O1 - Hosts: 127.1 www.91vva.cn

O1 - Hosts: 127.1 www.wq9q.cn

O1 - Hosts: 127.1 facaizhifuok.cn

O1 - Hosts: 127.1 www.wo9188.cn

O1 - Hosts: 127.1 a.woaigan.com

O1 - Hosts: 127.1 b.woaigan.com

O1 - Hosts: 127.1 xxx.usxx.info

O1 - Hosts: 127.1 alenxya.1122mb.com

O1 - Hosts: 127.1 www.972se.com

O1 - Hosts: 127.1 972se.com

O1 - Hosts: 127.1 pic.03wyt.com

O1 - Hosts: 127.1 d.03wyt.com

O1 - Hosts: 127.1 xs.03wyt.com

O1 - Hosts: 127.1 www.8jse.net

O1 - Hosts: 127.1 8jse.net

O1 - Hosts: 127.1 www.bmwtvb.cn

O1 - Hosts: 127.1 www.kcuf-09.cn

O1 - Hosts: 127.1 www.dvgdfg4650.com

O1 - Hosts: 127.1 www.kcuf-08.cn

O1 - Hosts: 127.1 www.kcuf-11.cn

O1 - Hosts: 127.1 www.kcuf-12.cn

O1 - Hosts: 127.1 1aa1aa.com

O1 - Hosts: 127.1 xx.avno3.com

O1 - Hosts: 127.1 xxx.avno5.com

O1 - Hosts: 127.1 www.avno7.com

O1 - Hosts: 127.1 avno7.com

O1 - Hosts: 127.1 ok.avno4.com

O1 - Hosts: 127.1 ok.avno5.com

O1 - Hosts: 127.1 ok.avno6.com

O1 - Hosts: 127.1 ok.avno7.com

O1 - Hosts: 127.1 ok.avno9.com

O1 - Hosts: 127.1 avno1.com

O1 - Hosts: 127.1 avno3.com

O1 - Hosts: 127.1 avno4.com

O1 - Hosts: 127.1 aikanav.com

O1 - Hosts: 127.1 link.selink.org

O1 - Hosts: 127.1 www.avno6.com

O1 - Hosts: 127.1 avno6.com

O1 - Hosts: 127.1 4.chibbs.info

O1 - Hosts: 127.1 bbs.chibbs.info

O1 - Hosts: 127.1 aa.ss99.biz

O1 - Hosts: 127.1 se.ss99.biz

O1 - Hosts: 127.1 aa.sxlk.net

O1 - Hosts: 127.1 se.sxlk99.com

O1 - Hosts: 127.1 www.88xj.net

O1 - Hosts: 127.1 88xj.net

O1 - Hosts: 127.1 www.99xj.net

O1 - Hosts: 127.1 99xj.net

O1 - Hosts: 127.1 www.91semi.com

O1 - Hosts: 127.1 91semi.com

O1 - Hosts: 127.1 haobaidu.1122mb.com

O1 - Hosts: 127.1 xiao777.za.pl

O1 - Hosts: 127.1 ccavo6.avno6.com

O1 - Hosts: 127.1 a.sxlk99.com

O1 - Hosts: 127.1 www.91vva.cn

O1 - Hosts: 127.1 www.qq08w12.cn

O1 - Hosts: 127.1 www.21xx.info

O1 - Hosts: 127.1 php-1.cn

O1 - Hosts: 127.1 www.v232.com

O1 - Hosts: 127.1 php-2.cn

O1 - Hosts: 127.1 php-3.cn

O1 - Hosts: 127.1 php-4.cn

O1 - Hosts: 127.1 php-5.cn

O1 - Hosts: 127.1 php-6.cn

O1 - Hosts: 127.1 php-7.cn

O1 - Hosts: 127.1 php-8.cn

O1 - Hosts: 127.1 php-9.cn

O1 - Hosts: 127.1 php-10.cn

O1 - Hosts: 127.1 php-11.cn

O1 - Hosts: 127.1 k.5x2x.com

O1 - Hosts: 127.1 a.5x2x.com

O1 - Hosts: 127.1 202.108.23.205

O1 - Hosts: 127.1 60.190.218.21

O1 - Hosts: 127.1 121.14.154.195

O1 - Hosts: 127.1 218.30.82.201

O1 - Hosts: 127.1 59.34.198.48

O1 - Hosts: 127.1 121.14.154.216

O1 - Hosts: 127.1 219.152.120.237

O1 - Hosts: 127.1 121.14.154.184

O1 - Hosts: 127.1 125.67.67.201

O1 - Hosts: 127.1 222.168.102.12

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\Coloreal\coloreal.exe"

O4 - HKLM\..\Run: [VTPreset] VTPreset.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [storageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r

O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"

O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE

O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe

O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded

O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE

O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe

O4 - HKLM\..\Run: [DDCActiveMenu] "C:\Program Files\WildTangent\DDC\ActiveMenu\DDCActiveMenu.exe" -boot

O4 - HKLM\..\Run: [HBService32] System.exe

O4 - HKLM\..\Run: [HBService] explore.exe

O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - Startup: Adobe Media Player.lnk = C:\Program Files\Adobe Media Player\Adobe Media Player.exe

O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE

O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1219522215203

O20 - AppInit_DLLs: eskisl.dll mcromv.dll mduaey.dll lensch.dll comboaus.dll micsus.dll cupops.dll jolndyo.dll johandy.dll aotoppt.dll pewire.dll

O21 - SSODL: comuidsg.dll - {898E02AB-9372-4a2c-9C4A-FFE1AF61097F} - C:\WINDOWS\System32\comuidsg.dll (file missing)

O21 - SSODL: mstimewd.dll - {65056902-6E7B-4bd7-95BA-688DB5FA5BEB} - C:\WINDOWS\System32\mstimewd.dll

O21 - SSODL: slbiopfs2.dll - {EB9660D8-E1CD-4ff0-B4A9-00CD907F928A} - C:\WINDOWS\System32\slbiopfs2.dll

O21 - SSODL: tscfgwmijxsj.dll - {2CB77746-8ECC-40ca-8217-10CA8BE5EFC8} - C:\WINDOWS\System32\tscfgwmijxsj.dll

O21 - SSODL: nwapi32dj.dll - {A2C3BA54-DF75-4881-8EB3-E54B26BBBBC9} - C:\WINDOWS\System32\nwapi32dj.dll

O21 - SSODL: lweurqhx.dll - {71A78CD4-E470-4a18-8457-E0E0283DD507} - C:\WINDOWS\System32\lweurqhx.dll (file missing)

O21 - SSODL: avicapwm.dll - {6B9FEAD7-4319-4312-AB05-D8C9CD255BFE} - C:\WINDOWS\System32\avicapwm.dll

O21 - SSODL: xolehlpjh.dll - {F0930A2F-D971-4828-8209-B7DFD266ED44} - C:\WINDOWS\System32\xolehlpjh.dll

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--

End of file - 7912 bytes

Also, I just noticed in c:, theres a new folder titled "avenger". I thought at first, maybe thats something you told me to create days/weeks ago that I had forgot about. So i went into the folder and found HBmhly.dll that was created on 9/16 and an app named "system" that was created 9/15. Should they be deleted?

Edit: today I noticed in the "avenger" folder, 2 new files have been created: HBmhly.dll-ren-946 and System.exe-ren-942. Once again should I go ahead and try to delete these manually?

Share this post


Link to post
Share on other sites

You can if you wish. :angry:

Lets select the following in hijackthis and Fix them:

O1 - Hosts: 127.1 localhost

O1 - Hosts: 127.1 vt0r48p760.cn

O1 - Hosts: 127.1 www.1txx.com

O1 - Hosts: 127.1 www.myovec.cn

O1 - Hosts: 127.1 po.uc-us.cn

O1 - Hosts: 127.1 219.139.83.20

O1 - Hosts: 127.1 www.msj007.cn

O1 - Hosts: 127.1 www.wyf009.cn

O1 - Hosts: 127.1 219.153.71.185

O1 - Hosts: 127.1 59.34.148.68

O1 - Hosts: 127.1 208.43.165.86

O1 - Hosts: 127.1 208.43.166.171

O1 - Hosts: 127.1 219.153.71.185

O1 - Hosts: 127.1 61.164.140.39

O1 - Hosts: 127.1 www.dsabh.cnwww.dsabh.cn

O1 - Hosts: 127.1 cwk1237.3322.org

O1 - Hosts: 127.1 www.woaigan.com

O1 - Hosts: 127.1 munchkin.marketo.net

O1 - Hosts: 127.1 post.marketo.net

O1 - Hosts: 127.1 www.mv2z.cn

O1 - Hosts: 127.1 www.91vva.cn

O1 - Hosts: 127.1 www.wq9q.cn

O1 - Hosts: 127.1 facaizhifuok.cn

O1 - Hosts: 127.1 www.wo9188.cn

O1 - Hosts: 127.1 a.woaigan.com

O1 - Hosts: 127.1 b.woaigan.com

O1 - Hosts: 127.1 xxx.usxx.info

O1 - Hosts: 127.1 alenxya.1122mb.com

O1 - Hosts: 127.1 www.972se.com

O1 - Hosts: 127.1 972se.com

O1 - Hosts: 127.1 pic.03wyt.com

O1 - Hosts: 127.1 d.03wyt.com

O1 - Hosts: 127.1 xs.03wyt.com

O1 - Hosts: 127.1 www.8jse.net

O1 - Hosts: 127.1 8jse.net

O1 - Hosts: 127.1 www.bmwtvb.cn

O1 - Hosts: 127.1 www.kcuf-09.cn

O1 - Hosts: 127.1 www.dvgdfg4650.com

O1 - Hosts: 127.1 www.kcuf-08.cn

O1 - Hosts: 127.1 www.kcuf-11.cn

O1 - Hosts: 127.1 www.kcuf-12.cn

O1 - Hosts: 127.1 1aa1aa.com

O1 - Hosts: 127.1 xx.avno3.com

O1 - Hosts: 127.1 xxx.avno5.com

O1 - Hosts: 127.1 www.avno7.com

O1 - Hosts: 127.1 avno7.com

O1 - Hosts: 127.1 ok.avno4.com

O1 - Hosts: 127.1 ok.avno5.com

O1 - Hosts: 127.1 ok.avno6.com

O1 - Hosts: 127.1 ok.avno7.com

O1 - Hosts: 127.1 ok.avno9.com

O1 - Hosts: 127.1 avno1.com

O1 - Hosts: 127.1 avno3.com

O1 - Hosts: 127.1 avno4.com

O1 - Hosts: 127.1 aikanav.com

O1 - Hosts: 127.1 link.selink.org

O1 - Hosts: 127.1 www.avno6.com

O1 - Hosts: 127.1 avno6.com

O1 - Hosts: 127.1 4.chibbs.info

O1 - Hosts: 127.1 bbs.chibbs.info

O1 - Hosts: 127.1 aa.ss99.biz

O1 - Hosts: 127.1 se.ss99.biz

O1 - Hosts: 127.1 aa.sxlk.net

O1 - Hosts: 127.1 se.sxlk99.com

O1 - Hosts: 127.1 www.88xj.net

O1 - Hosts: 127.1 88xj.net

O1 - Hosts: 127.1 www.99xj.net

O1 - Hosts: 127.1 99xj.net

O1 - Hosts: 127.1 www.91semi.com

O1 - Hosts: 127.1 91semi.com

O1 - Hosts: 127.1 haobaidu.1122mb.com

O1 - Hosts: 127.1 xiao777.za.pl

O1 - Hosts: 127.1 ccavo6.avno6.com

O1 - Hosts: 127.1 a.sxlk99.com

O1 - Hosts: 127.1 www.91vva.cn

O1 - Hosts: 127.1 www.qq08w12.cn

O1 - Hosts: 127.1 www.21xx.info

O1 - Hosts: 127.1 php-1.cn

O1 - Hosts: 127.1 www.v232.com

O1 - Hosts: 127.1 php-2.cn

O1 - Hosts: 127.1 php-3.cn

O1 - Hosts: 127.1 php-4.cn

O1 - Hosts: 127.1 php-5.cn

O1 - Hosts: 127.1 php-6.cn

O1 - Hosts: 127.1 php-7.cn

O1 - Hosts: 127.1 php-8.cn

O1 - Hosts: 127.1 php-9.cn

O1 - Hosts: 127.1 php-10.cn

O1 - Hosts: 127.1 php-11.cn

O1 - Hosts: 127.1 k.5x2x.com

O1 - Hosts: 127.1 a.5x2x.com

O1 - Hosts: 127.1 202.108.23.205

O1 - Hosts: 127.1 60.190.218.21

O1 - Hosts: 127.1 121.14.154.195

O1 - Hosts: 127.1 218.30.82.201

O1 - Hosts: 127.1 59.34.198.48

O1 - Hosts: 127.1 121.14.154.216

O1 - Hosts: 127.1 219.152.120.237

O1 - Hosts: 127.1 121.14.154.184

O1 - Hosts: 127.1 125.67.67.201

O1 - Hosts: 127.1 222.168.102.12

O4 - HKLM\..\Run: [HBService32] System.exe

O4 - HKLM\..\Run: [HBService] explore.exe

O20 - AppInit_DLLs: eskisl.dll mcromv.dll mduaey.dll lensch.dll comboaus.dll micsus.dll cupops.dll jolndyo.dll johandy.dll aotoppt.dll pewire.dll

O21 - SSODL: comuidsg.dll - {898E02AB-9372-4a2c-9C4A-FFE1AF61097F} - C:\WINDOWS\System32\comuidsg.dll (file missing)

O21 - SSODL: mstimewd.dll - {65056902-6E7B-4bd7-95BA-688DB5FA5BEB} - C:\WINDOWS\System32\mstimewd.dll

O21 - SSODL: slbiopfs2.dll - {EB9660D8-E1CD-4ff0-B4A9-00CD907F928A} - C:\WINDOWS\System32\slbiopfs2.dll

O21 - SSODL: tscfgwmijxsj.dll - {2CB77746-8ECC-40ca-8217-10CA8BE5EFC8} - C:\WINDOWS\System32\tscfgwmijxsj.dll

O21 - SSODL: nwapi32dj.dll - {A2C3BA54-DF75-4881-8EB3-E54B26BBBBC9} - C:\WINDOWS\System32\nwapi32dj.dll

O21 - SSODL: lweurqhx.dll - {71A78CD4-E470-4a18-8457-E0E0283DD507} - C:\WINDOWS\System32\lweurqhx.dll (file missing)

O21 - SSODL: avicapwm.dll - {6B9FEAD7-4319-4312-AB05-D8C9CD255BFE} - C:\WINDOWS\System32\avicapwm.dll

O21 - SSODL: xolehlpjh.dll - {F0930A2F-D971-4828-8209-B7DFD266ED44} - C:\WINDOWS\System32\xolehlpjh.dll

Please reboot after doing so and create a fresh hijackthis log and post it. Your system logs are looking much better now. Is your computer running like it used too again?

Oh, lets go ahead and run atf-cleaner as well please.

Share this post


Link to post
Share on other sites

Thanks, thats good to know. They wont be deleted.(when I try to delete them a message comes up that says "Cannot delete:"name of file": Unable to complete the requested operation because of either a catastrophic media failure or a data structure corruption on the disk."

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 1:18:56 PM, on 9/19/2008

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\VERITAS Software\Update Manager\sgtray.exe

C:\HP\KBD\KBD.EXE

C:\windows\system\hpsysdrv.exe

C:\WINDOWS\System32\rundll32.exe

C:\WINDOWS\wanmpsvc.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus7.hpwis.com/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus7.hpwis.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-qus7.hpwis.com/

O1 - Hosts: 127.1 localhost

O1 - Hosts: 127.1 vt0r48p760.cn

O1 - Hosts: 127.1 www.1txx.com

O1 - Hosts: 127.1 www.myovec.cn

O1 - Hosts: 127.1 po.uc-us.cn

O1 - Hosts: 127.1 219.139.83.20

O1 - Hosts: 127.1 www.msj007.cn

O1 - Hosts: 127.1 www.wyf009.cn

O1 - Hosts: 127.1 219.153.71.185

O1 - Hosts: 127.1 59.34.148.68

O1 - Hosts: 127.1 208.43.165.86

O1 - Hosts: 127.1 208.43.166.171

O1 - Hosts: 127.1 219.153.71.185

O1 - Hosts: 127.1 61.164.140.39

O1 - Hosts: 127.1 www.dsabh.cnwww.dsabh.cn

O1 - Hosts: 127.1 cwk1237.3322.org

O1 - Hosts: 127.1 www.woaigan.com

O1 - Hosts: 127.1 munchkin.marketo.net

O1 - Hosts: 127.1 post.marketo.net

O1 - Hosts: 127.1 www.mv2z.cn

O1 - Hosts: 127.1 www.91vva.cn

O1 - Hosts: 127.1 www.wq9q.cn

O1 - Hosts: 127.1 facaizhifuok.cn

O1 - Hosts: 127.1 www.wo9188.cn

O1 - Hosts: 127.1 a.woaigan.com

O1 - Hosts: 127.1 b.woaigan.com

O1 - Hosts: 127.1 xxx.usxx.info

O1 - Hosts: 127.1 alenxya.1122mb.com

O1 - Hosts: 127.1 www.972se.com

O1 - Hosts: 127.1 972se.com

O1 - Hosts: 127.1 pic.03wyt.com

O1 - Hosts: 127.1 d.03wyt.com

O1 - Hosts: 127.1 xs.03wyt.com

O1 - Hosts: 127.1 www.8jse.net

O1 - Hosts: 127.1 8jse.net

O1 - Hosts: 127.1 www.bmwtvb.cn

O1 - Hosts: 127.1 www.kcuf-09.cn

O1 - Hosts: 127.1 www.dvgdfg4650.com

O1 - Hosts: 127.1 www.kcuf-08.cn

O1 - Hosts: 127.1 www.kcuf-11.cn

O1 - Hosts: 127.1 www.kcuf-12.cn

O1 - Hosts: 127.1 1aa1aa.com

O1 - Hosts: 127.1 xx.avno3.com

O1 - Hosts: 127.1 xxx.avno5.com

O1 - Hosts: 127.1 www.avno7.com

O1 - Hosts: 127.1 avno7.com

O1 - Hosts: 127.1 ok.avno4.com

O1 - Hosts: 127.1 ok.avno5.com

O1 - Hosts: 127.1 ok.avno6.com

O1 - Hosts: 127.1 ok.avno7.com

O1 - Hosts: 127.1 ok.avno9.com

O1 - Hosts: 127.1 avno1.com

O1 - Hosts: 127.1 avno3.com

O1 - Hosts: 127.1 avno4.com

O1 - Hosts: 127.1 aikanav.com

O1 - Hosts: 127.1 link.selink.org

O1 - Hosts: 127.1 www.avno6.com

O1 - Hosts: 127.1 avno6.com

O1 - Hosts: 127.1 4.chibbs.info

O1 - Hosts: 127.1 bbs.chibbs.info

O1 - Hosts: 127.1 aa.ss99.biz

O1 - Hosts: 127.1 se.ss99.biz

O1 - Hosts: 127.1 aa.sxlk.net

O1 - Hosts: 127.1 se.sxlk99.com

O1 - Hosts: 127.1 www.88xj.net

O1 - Hosts: 127.1 88xj.net

O1 - Hosts: 127.1 www.99xj.net

O1 - Hosts: 127.1 99xj.net

O1 - Hosts: 127.1 www.91semi.com

O1 - Hosts: 127.1 91semi.com

O1 - Hosts: 127.1 haobaidu.1122mb.com

O1 - Hosts: 127.1 xiao777.za.pl

O1 - Hosts: 127.1 ccavo6.avno6.com

O1 - Hosts: 127.1 a.sxlk99.com

O1 - Hosts: 127.1 www.91vva.cn

O1 - Hosts: 127.1 www.qq08w12.cn

O1 - Hosts: 127.1 www.21xx.info

O1 - Hosts: 127.1 php-1.cn

O1 - Hosts: 127.1 www.v232.com

O1 - Hosts: 127.1 php-2.cn

O1 - Hosts: 127.1 php-3.cn

O1 - Hosts: 127.1 php-4.cn

O1 - Hosts: 127.1 php-5.cn

O1 - Hosts: 127.1 php-6.cn

O1 - Hosts: 127.1 php-7.cn

O1 - Hosts: 127.1 php-8.cn

O1 - Hosts: 127.1 php-9.cn

O1 - Hosts: 127.1 php-10.cn

O1 - Hosts: 127.1 php-11.cn

O1 - Hosts: 127.1 k.5x2x.com

O1 - Hosts: 127.1 a.5x2x.com

O1 - Hosts: 127.1 202.108.23.205

O1 - Hosts: 127.1 60.190.218.21

O1 - Hosts: 127.1 121.14.154.195

O1 - Hosts: 127.1 218.30.82.201

O1 - Hosts: 127.1 59.34.198.48

O1 - Hosts: 127.1 121.14.154.216

O1 - Hosts: 127.1 219.152.120.237

O1 - Hosts: 127.1 121.14.154.184

O1 - Hosts: 127.1 125.67.67.201

O1 - Hosts: 127.1 222.168.102.12

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\Coloreal\coloreal.exe"

O4 - HKLM\..\Run: [VTPreset] VTPreset.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [storageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r

O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"

O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE

O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe

O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded

O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE

O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe

O4 - HKLM\..\Run: [DDCActiveMenu] "C:\Program Files\WildTangent\DDC\ActiveMenu\DDCActiveMenu.exe" -boot

O4 - HKLM\..\Run: [3PMmUpdate] rundll32 "C:\WINDOWS\Update.dll",Main

O4 - HKLM\..\Run: [HBService32] System.exe

O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - Startup: Adobe Media Player.lnk = C:\Program Files\Adobe Media Player\Adobe Media Player.exe

O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE

O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1219522215203

O20 - AppInit_DLLs: eskisl.dll lensch.dll micsus.dll cupops.dll jolndyo.dll johandy.dll aotoppt.dll pewire.dll comboaus.dll catower.dll wllame.dll,HBmhly.dll,HB1000Y.dll,HBWOOOL.dll,HBXY2.dll,HBJXSJ.dll,HBSO2.dll,HBF

S2.dll,HBXY3.dll,HBSHQ.dll,HBFY.dll,HBWULIN2.dll,HBW2I.dll,HBKDXY.dll,HBWORLD2.d

l

l,HBASKTAO.dll,HBZHUXIAN.dll,HBWOW.dll,HBZERO.dll,HBBO.dll,HBCONQUER.dll,HBSOUL.

d

ll,HBCHIBI.dll,HBDNF.dll,HBWARLORDS.dll,HBTL.dll,HBPICKCHINA.dll,HBCT.dll,HBGC.d

l

l,HBHM.dll,HBHX2.dll,HBQQHX.dll,HBTW2.dll,HBQQSG.dll,HBQQFFO.dll,HBZT.dll,HBMIR2

.

dll,HBRXJH.dll,HBYY.dll,HBMXD.dll,HBSQ.dll,HBTJ.dll,HBFHZL.dll,HBWLQX.dll,HBLYFX

.

dll,HBR2.dll,HBCHD.dll,HBTZ.dll,HBQQXX.dll,HBWD.dll,HBZG.dll,HBPPBL.dll,HBXMJ.dl

l

,HBJTLQ.dll,HBQJSJ.dll

O21 - SSODL: mabsowpl.dll - {434FA69C-5F0A-42e1-82B8-10AF2C8E53C6} - C:\WINDOWS\System32\mabsowpl.dll

O21 - SSODL: tvxlrqso.dll - {EB9660D8-E1CD-4ff0-B4A9-00CD907F928A} - C:\WINDOWS\System32\tvxlrqso.dll

O21 - SSODL: jfktyugq.dll - {71A78CD4-E470-4a18-8457-E0E0283DD507} - C:\WINDOWS\System32\jfktyugq.dll

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--

End of file - 7993 bytes

O4 - HKLM\..\Run: [HBService] explore.exe was missing so I couldnt fix it

The computer is running fine, the internet connection is a little slower though

Share this post


Link to post
Share on other sites

Hi cmoney, boot into safe mode and kill these with hijackthis:

O20 - AppInit_DLLs: eskisl.dll lensch.dll micsus.dll cupops.dll jolndyo.dll johandy.dll aotoppt.dll pewire.dll comboaus.dll catower.dll wllame.dll,HBmhly.dll,HB1000Y.dll,HBWOOOL.dll,HBXY2.dll,HBJXSJ.dll,HBSO2.dll,HBF

S2.dll,HBXY3.dll,HBSHQ.dll,HBFY.dll,HBWULIN2.dll,HBW2I.dll,HBKDXY.dll,HBWORLD2.d

l

l,HBASKTAO.dll,HBZHUXIAN.dll,HBWOW.dll,HBZERO.dll,HBBO.dll,HBCONQUER.dll,HBSOUL.

d

ll,HBCHIBI.dll,HBDNF.dll,HBWARLORDS.dll,HBTL.dll,HBPICKCHINA.dll,HBCT.dll,HBGC.d

l

l,HBHM.dll,HBHX2.dll,HBQQHX.dll,HBTW2.dll,HBQQSG.dll,HBQQFFO.dll,HBZT.dll,HBMIR2

.

dll,HBRXJH.dll,HBYY.dll,HBMXD.dll,HBSQ.dll,HBTJ.dll,HBFHZL.dll,HBWLQX.dll,HBLYFX

.

dll,HBR2.dll,HBCHD.dll,HBTZ.dll,HBQQXX.dll,HBWD.dll,HBZG.dll,HBPPBL.dll,HBXMJ.dl

l

,HBJTLQ.dll,HBQJSJ.dll

O21 - SSODL: mabsowpl.dll - {434FA69C-5F0A-42e1-82B8-10AF2C8E53C6} - C:\WINDOWS\System32\mabsowpl.dll

O21 - SSODL: tvxlrqso.dll - {EB9660D8-E1CD-4ff0-B4A9-00CD907F928A} - C:\WINDOWS\System32\tvxlrqso.dll

O21 - SSODL: jfktyugq.dll - {71A78CD4-E470-4a18-8457-E0E0283DD507} - C:\WINDOWS\System32\jfktyugq.dll

Then scan again and verify hijackthis removed them. Also, the 3 files listed below, please zip as dustincheck2.zip and upload to the uploads.malwarebytes.org If hijackthis kills them before you can do that, it's okay. :angry:

Share this post


Link to post
Share on other sites

Hey Raid,

I did what you said, but I zipped up the 3 .dll's first in normal mode but they were too big so I went to my email and sent them to marcin. I hope that was okay, but before I did that I successfully deleted those entries but only after I made copies to send to you. So when I verified they were gone by scanning again, I forgot i still had copies on the desktop to send to you(or actually marcin) and when I did that in normal mode and went back to safe mode, and scanned again, they were found again. So I deleted the copies and killed the entries successfully in hijackthis but others came up.

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 3:49:50 PM, on 9/19/2008

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\VERITAS Software\Update Manager\sgtray.exe

C:\HP\KBD\KBD.EXE

C:\windows\system\hpsysdrv.exe

C:\WINDOWS\System32\rundll32.exe

C:\WINDOWS\wanmpsvc.exe

C:\WINDOWS\System32\wbem\wmiprvse.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus7.hpwis.com/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus7.hpwis.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-qus7.hpwis.com/

O1 - Hosts: 127.1 localhost

O1 - Hosts: 127.1 vt0r48p760.cn

O1 - Hosts: 127.1 www.1txx.com

O1 - Hosts: 127.1 www.myovec.cn

O1 - Hosts: 127.1 po.uc-us.cn

O1 - Hosts: 127.1 219.139.83.20

O1 - Hosts: 127.1 www.msj007.cn

O1 - Hosts: 127.1 www.wyf009.cn

O1 - Hosts: 127.1 219.153.71.185

O1 - Hosts: 127.1 59.34.148.68

O1 - Hosts: 127.1 208.43.165.86

O1 - Hosts: 127.1 208.43.166.171

O1 - Hosts: 127.1 219.153.71.185

O1 - Hosts: 127.1 61.164.140.39

O1 - Hosts: 127.1 www.dsabh.cnwww.dsabh.cn

O1 - Hosts: 127.1 cwk1237.3322.org

O1 - Hosts: 127.1 www.woaigan.com

O1 - Hosts: 127.1 munchkin.marketo.net

O1 - Hosts: 127.1 post.marketo.net

O1 - Hosts: 127.1 www.mv2z.cn

O1 - Hosts: 127.1 www.91vva.cn

O1 - Hosts: 127.1 www.wq9q.cn

O1 - Hosts: 127.1 facaizhifuok.cn

O1 - Hosts: 127.1 www.wo9188.cn

O1 - Hosts: 127.1 a.woaigan.com

O1 - Hosts: 127.1 b.woaigan.com

O1 - Hosts: 127.1 xxx.usxx.info

O1 - Hosts: 127.1 alenxya.1122mb.com

O1 - Hosts: 127.1 www.972se.com

O1 - Hosts: 127.1 972se.com

O1 - Hosts: 127.1 pic.03wyt.com

O1 - Hosts: 127.1 d.03wyt.com

O1 - Hosts: 127.1 xs.03wyt.com

O1 - Hosts: 127.1 www.8jse.net

O1 - Hosts: 127.1 8jse.net

O1 - Hosts: 127.1 www.bmwtvb.cn

O1 - Hosts: 127.1 www.kcuf-09.cn

O1 - Hosts: 127.1 www.dvgdfg4650.com

O1 - Hosts: 127.1 www.kcuf-08.cn

O1 - Hosts: 127.1 www.kcuf-11.cn

O1 - Hosts: 127.1 www.kcuf-12.cn

O1 - Hosts: 127.1 1aa1aa.com

O1 - Hosts: 127.1 xx.avno3.com

O1 - Hosts: 127.1 xxx.avno5.com

O1 - Hosts: 127.1 www.avno7.com

O1 - Hosts: 127.1 avno7.com

O1 - Hosts: 127.1 ok.avno4.com

O1 - Hosts: 127.1 ok.avno5.com

O1 - Hosts: 127.1 ok.avno6.com

O1 - Hosts: 127.1 ok.avno7.com

O1 - Hosts: 127.1 ok.avno9.com

O1 - Hosts: 127.1 avno1.com

O1 - Hosts: 127.1 avno3.com

O1 - Hosts: 127.1 avno4.com

O1 - Hosts: 127.1 aikanav.com

O1 - Hosts: 127.1 link.selink.org

O1 - Hosts: 127.1 www.avno6.com

O1 - Hosts: 127.1 avno6.com

O1 - Hosts: 127.1 4.chibbs.info

O1 - Hosts: 127.1 bbs.chibbs.info

O1 - Hosts: 127.1 aa.ss99.biz

O1 - Hosts: 127.1 se.ss99.biz

O1 - Hosts: 127.1 aa.sxlk.net

O1 - Hosts: 127.1 se.sxlk99.com

O1 - Hosts: 127.1 www.88xj.net

O1 - Hosts: 127.1 88xj.net

O1 - Hosts: 127.1 www.99xj.net

O1 - Hosts: 127.1 99xj.net

O1 - Hosts: 127.1 www.91semi.com

O1 - Hosts: 127.1 91semi.com

O1 - Hosts: 127.1 haobaidu.1122mb.com

O1 - Hosts: 127.1 xiao777.za.pl

O1 - Hosts: 127.1 ccavo6.avno6.com

O1 - Hosts: 127.1 a.sxlk99.com

O1 - Hosts: 127.1 www.91vva.cn

O1 - Hosts: 127.1 www.qq08w12.cn

O1 - Hosts: 127.1 www.21xx.info

O1 - Hosts: 127.1 php-1.cn

O1 - Hosts: 127.1 www.v232.com

O1 - Hosts: 127.1 php-2.cn

O1 - Hosts: 127.1 php-3.cn

O1 - Hosts: 127.1 php-4.cn

O1 - Hosts: 127.1 php-5.cn

O1 - Hosts: 127.1 php-6.cn

O1 - Hosts: 127.1 php-7.cn

O1 - Hosts: 127.1 php-8.cn

O1 - Hosts: 127.1 php-9.cn

O1 - Hosts: 127.1 php-10.cn

O1 - Hosts: 127.1 php-11.cn

O1 - Hosts: 127.1 k.5x2x.com

O1 - Hosts: 127.1 a.5x2x.com

O1 - Hosts: 127.1 202.108.23.205

O1 - Hosts: 127.1 60.190.218.21

O1 - Hosts: 127.1 121.14.154.195

O1 - Hosts: 127.1 218.30.82.201

O1 - Hosts: 127.1 59.34.198.48

O1 - Hosts: 127.1 121.14.154.216

O1 - Hosts: 127.1 219.152.120.237

O1 - Hosts: 127.1 121.14.154.184

O1 - Hosts: 127.1 125.67.67.201

O1 - Hosts: 127.1 222.168.102.12

O2 - BHO: ThunderAdvise - {97421D0D-E07F-40DF-8F07-99597B9585AD} - C:\WINDOWS\Downloaded Program Files\ThunderAdvise.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\Coloreal\coloreal.exe"

O4 - HKLM\..\Run: [VTPreset] VTPreset.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [storageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r

O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"

O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE

O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe

O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded

O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE

O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe

O4 - HKLM\..\Run: [DDCActiveMenu] "C:\Program Files\WildTangent\DDC\ActiveMenu\DDCActiveMenu.exe" -boot

O4 - HKLM\..\Run: [3PMmUpdate] rundll32 "C:\WINDOWS\Update.dll",Main

O4 - HKLM\..\Run: [HBService32] System.exe

O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - Startup: Adobe Media Player.lnk = C:\Program Files\Adobe Media Player\Adobe Media Player.exe

O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE

O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1219522215203

O20 - AppInit_DLLs: HBmhly.dll,HB1000Y.dll,HBWOOOL.dll,HBXY2.dll,HBJXSJ.dll,HBSO2.dll,HBFS2.dll,HBXY

3.dll,HBSHQ.dll,HBFY.dll,HBWULIN2.dll,HBW2I.dll,HBKDXY.dll,HBWORLD2.dll,HBASKTAO

.

dll,HBZHUXIAN.dll,HBWOW.dll,HBZERO.dll,HBBO.dll,HBCONQUER.dll,HBSOUL.dll,HBCHIBI

.

dll,HBDNF.dll,HBWARLORDS.dll,HBTL.dll,HBPICKCHINA.dll,HBCT.dll,HBGC.dll,HBHM.dll

,

HBHX2.dll,HBQQHX.dll,HBTW2.dll,HBQQSG.dll,HBQQFFO.dll,HBZT.dll,HBMIR2.dll,HBRXJH

.

dll,HBYY.dll,HBMXD.dll,HBSQ.dll,HBTJ.dll,HBFHZL.dll,HBWLQX.dll,HBLYFX.dll,HBR2.d

l

l,HBCHD.dll,HBTZ.dll,HBQQXX.dll,HBWD.dll,HBZG.dll,HBPPBL.dll,HBXMJ.dll,HBJTLQ.dl

l

,HBQJSJ.dll

O21 - SSODL: hultwmtu.dll - {D3112B69-A745-4805-874E-ABD480EA1299} - C:\WINDOWS\System32\hultwmtu.dll

O21 - SSODL: sysocmgr - {DA1DE019-A6A8-ED40-4B87-248B2A93DE99} - C:\WINDOWS\sysocmgr.dll

O21 - SSODL: ThunderAdvise - {97421D0D-E07F-40DF-8F07-99597B9585AD} - C:\WINDOWS\Downloaded Program Files\ThunderAdvise.dll

O21 - SSODL: mabsowpl.dll - {434FA69C-5F0A-42e1-82B8-10AF2C8E53C6} - C:\WINDOWS\System32\mabsowpl.dll

O21 - SSODL: tvxlrqso.dll - {EB9660D8-E1CD-4ff0-B4A9-00CD907F928A} - C:\WINDOWS\System32\tvxlrqso.dll

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--

End of file - 8339 bytes

Share this post


Link to post
Share on other sites

I come on today and run a scan for the hell of it and the log changed, thought I'd show you

***note*** [HBService32] System.exe & [HBService] explore.exe are both present again(Im guessing killing those .dll's(that are also back) will work now since they are both present again?)

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 10:28:17 AM, on 9/20/2008

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\HP\KBD\KBD.EXE

C:\windows\system\hpsysdrv.exe

C:\WINDOWS\System32\rundll32.exe

C:\WINDOWS\wanmpsvc.exe

C:\WINDOWS\System32\rundll32.exe

C:\WINDOWS\System32\eskislk.exe

C:\WINDOWS\System32\explore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus7.hpwis.com/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus7.hpwis.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-qus7.hpwis.com/

O1 - Hosts: 127.1 localhost

O1 - Hosts: 127.1 vt0r48p760.cn

O1 - Hosts: 127.1 www.1txx.com

O1 - Hosts: 127.1 www.myovec.cn

O1 - Hosts: 127.1 po.uc-us.cn

O1 - Hosts: 127.1 219.139.83.20

O1 - Hosts: 127.1 www.msj007.cn

O1 - Hosts: 127.1 www.wyf009.cn

O1 - Hosts: 127.1 219.153.71.185

O1 - Hosts: 127.1 59.34.148.68

O1 - Hosts: 127.1 208.43.165.86

O1 - Hosts: 127.1 208.43.166.171

O1 - Hosts: 127.1 219.153.71.185

O1 - Hosts: 127.1 61.164.140.39

O1 - Hosts: 127.1 www.dsabh.cnwww.dsabh.cn

O1 - Hosts: 127.1 cwk1237.3322.org

O1 - Hosts: 127.1 www.woaigan.com

O1 - Hosts: 127.1 munchkin.marketo.net

O1 - Hosts: 127.1 post.marketo.net

O1 - Hosts: 127.1 www.mv2z.cn

O1 - Hosts: 127.1 www.91vva.cn

O1 - Hosts: 127.1 www.wq9q.cn

O1 - Hosts: 127.1 facaizhifuok.cn

O1 - Hosts: 127.1 www.wo9188.cn

O1 - Hosts: 127.1 a.woaigan.com

O1 - Hosts: 127.1 b.woaigan.com

O1 - Hosts: 127.1 xxx.usxx.info

O1 - Hosts: 127.1 alenxya.1122mb.com

O1 - Hosts: 127.1 www.972se.com

O1 - Hosts: 127.1 972se.com

O1 - Hosts: 127.1 pic.03wyt.com

O1 - Hosts: 127.1 d.03wyt.com

O1 - Hosts: 127.1 xs.03wyt.com

O1 - Hosts: 127.1 www.8jse.net

O1 - Hosts: 127.1 8jse.net

O1 - Hosts: 127.1 www.bmwtvb.cn

O1 - Hosts: 127.1 www.kcuf-09.cn

O1 - Hosts: 127.1 www.dvgdfg4650.com

O1 - Hosts: 127.1 www.kcuf-08.cn

O1 - Hosts: 127.1 www.kcuf-11.cn

O1 - Hosts: 127.1 www.kcuf-12.cn

O1 - Hosts: 127.1 1aa1aa.com

O1 - Hosts: 127.1 xx.avno3.com

O1 - Hosts: 127.1 xxx.avno5.com

O1 - Hosts: 127.1 www.avno7.com

O1 - Hosts: 127.1 avno7.com

O1 - Hosts: 127.1 ok.avno4.com

O1 - Hosts: 127.1 ok.avno5.com

O1 - Hosts: 127.1 ok.avno6.com

O1 - Hosts: 127.1 ok.avno7.com

O1 - Hosts: 127.1 ok.avno9.com

O1 - Hosts: 127.1 avno1.com

O1 - Hosts: 127.1 avno3.com

O1 - Hosts: 127.1 avno4.com

O1 - Hosts: 127.1 aikanav.com

O1 - Hosts: 127.1 link.selink.org

O1 - Hosts: 127.1 www.avno6.com

O1 - Hosts: 127.1 avno6.com

O1 - Hosts: 127.1 4.chibbs.info

O1 - Hosts: 127.1 bbs.chibbs.info

O1 - Hosts: 127.1 aa.ss99.biz

O1 - Hosts: 127.1 se.ss99.biz

O1 - Hosts: 127.1 aa.sxlk.net

O1 - Hosts: 127.1 se.sxlk99.com

O1 - Hosts: 127.1 www.88xj.net

O1 - Hosts: 127.1 88xj.net

O1 - Hosts: 127.1 www.99xj.net

O1 - Hosts: 127.1 99xj.net

O1 - Hosts: 127.1 www.91semi.com

O1 - Hosts: 127.1 91semi.com

O1 - Hosts: 127.1 haobaidu.1122mb.com

O1 - Hosts: 127.1 xiao777.za.pl

O1 - Hosts: 127.1 ccavo6.avno6.com

O1 - Hosts: 127.1 a.sxlk99.com

O1 - Hosts: 127.1 www.91vva.cn

O1 - Hosts: 127.1 www.qq08w12.cn

O1 - Hosts: 127.1 www.21xx.info

O1 - Hosts: 127.1 php-1.cn

O1 - Hosts: 127.1 www.v232.com

O1 - Hosts: 127.1 php-2.cn

O1 - Hosts: 127.1 php-3.cn

O1 - Hosts: 127.1 php-4.cn

O1 - Hosts: 127.1 php-5.cn

O1 - Hosts: 127.1 php-6.cn

O1 - Hosts: 127.1 php-7.cn

O1 - Hosts: 127.1 php-8.cn

O1 - Hosts: 127.1 php-9.cn

O1 - Hosts: 127.1 php-10.cn

O1 - Hosts: 127.1 php-11.cn

O1 - Hosts: 127.1 k.5x2x.com

O1 - Hosts: 127.1 a.5x2x.com

O1 - Hosts: 127.1 202.108.23.205

O1 - Hosts: 127.1 60.190.218.21

O1 - Hosts: 127.1 121.14.154.195

O1 - Hosts: 127.1 218.30.82.201

O1 - Hosts: 127.1 59.34.198.48

O1 - Hosts: 127.1 121.14.154.216

O1 - Hosts: 127.1 219.152.120.237

O1 - Hosts: 127.1 121.14.154.184

O1 - Hosts: 127.1 125.67.67.201

O1 - Hosts: 127.1 222.168.102.12

O2 - BHO: ThunderAdvise - {97421D0D-E07F-40DF-8F07-99597B9585AD} - C:\WINDOWS\Downloaded Program Files\ThunderAdvise.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\Coloreal\coloreal.exe"

O4 - HKLM\..\Run: [VTPreset] VTPreset.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [storageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r

O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"

O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE

O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe

O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded

O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE

O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe

O4 - HKLM\..\Run: [DDCActiveMenu] "C:\Program Files\WildTangent\DDC\ActiveMenu\DDCActiveMenu.exe" -boot

O4 - HKLM\..\Run: [3PMmUpdate] rundll32 "C:\WINDOWS\Update.dll",Main

O4 - HKLM\..\Run: [HBService32] System.exe

O4 - HKLM\..\Run: [HBService] explore.exe

O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - Startup: Adobe Media Player.lnk = C:\Program Files\Adobe Media Player\Adobe Media Player.exe

O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE

O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1219522215203

O20 - AppInit_DLLs: eskisl.dll

O21 - SSODL: hultwmtu.dll - {D3112B69-A745-4805-874E-ABD480EA1299} - C:\WINDOWS\System32\hultwmtu.dll

O21 - SSODL: sysocmgr - {DA1DE019-A6A8-ED40-4B87-248B2A93DE99} - C:\WINDOWS\sysocmgr.dll

O21 - SSODL: ThunderAdvise - {97421D0D-E07F-40DF-8F07-99597B9585AD} - C:\WINDOWS\Downloaded Program Files\ThunderAdvise.dll

O21 - SSODL: mabsowpl.dll - {434FA69C-5F0A-42e1-82B8-10AF2C8E53C6} - C:\WINDOWS\System32\bpoyvbfz.dll

O21 - SSODL: tvxlrqso.dll - {EB9660D8-E1CD-4ff0-B4A9-00CD907F928A} - C:\WINDOWS\System32\tvxlrqso.dll

O21 - SSODL: DesktopWin - {DA191DE0-AA86-4ED0-4B87-292A3D48BE99} - C:\WINDOWS\AppPatch\DesktopWin.dll

O21 - SSODL: bpoyvbfz.dll - {434FA69C-5F0A-42e1-82B8-10AF2C8E53C6} - C:\WINDOWS\System32\bpoyvbfz.dll

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--

End of file - 8071 bytes

Share this post


Link to post
Share on other sites

Hmm... Alright... do this:

I need you to follow the instructions provided here http://www.malwarebytes.org/forums/index.php?showtopic=2936 first.

I also need for you to download this program http://oldtimer.geekstogo.com/OTListIt.exe to your desktop.

* Close all applications and windows so that you have nothing open and are at your Desktop

* Double-click on the OTListIt.exe file to start OTListIt. OK any warning about running OTListIt.

* Place a checkmark in the "Scan All Users" checkbox (Leave the 'Use Whitelist' checked' and the 'File Age:' at 30 days)

* Click the Run Scan button

Note: Please be patient and let the scan run without using the computer

* When the scan is complete, a text file (OTListIt.Txt) will open in Notepad (if not, it can be found on your Desktop)

* In Notepad, click Edit > Select all then Edit > Copy

* Reply to this topic, click in the topic reply window, and press Ctrl+V to paste the log

* Submit your reply and close the Notepad window with OTList.txt

* Also OTListIt's Extras.txt log file will be minimised in the Taskbar (and located on your Desktop) - click on this and maximise the window

* In Notepad, click Edit > Select all then Edit > Copy

* Reply to this topic again, click in the topic reply window, and press Ctrl+V to paste the extras log

If the files (OTListIt.txt, Extras.txt) do not appear in your taskbar, just open the files in notepad; they will be on your desktop.

Please allow me time to analyze your post. If you don't see a reply from me after 24 hours, feel free to PM me.

Share this post


Link to post
Share on other sites

OTListIt logfile created on: 9/20/2008 1:02:35 PM - Run 1

OTListIt by OldTimer - Version 1.0.4.0 Folder = C:\Documents and Settings\Owner\My Documents

Windows XP Home Edition Service Pack 1 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 6.0.2800.1106)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

223.48 Mb Total Physical Memory | 80.60 Mb Available Physical Memory | 36.06% Memory free

547.12 Mb Paging File | 417.17 Mb Available in Paging File | 76.25% Paging File free

Paging file location(s): C:\pagefile.sys 336 672;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files

Drive C: | 33.40 Gb Total Space | 11.80 Gb Free Space | 35.32% Space Free | Partition Type: NTFS

Drive D: | 3.89 Gb Total Space | 0.74 Gb Free Space | 18.93% Space Free | Partition Type: FAT32

E: Drive not present or media not loaded

F: Drive not present or media not loaded

G: Drive not present or media not loaded

H: Drive not present or media not loaded

I: Drive not present or media not loaded

Computer Name: YOUR-N3TY7ATHD5

Current User Name: Owner

Logged in as Administrator.

Current Boot Mode: Normal

Scan Mode: All users

Whitelist: On

Files within: 30 Days

========== Processes - Non-Microsoft Only ==========

[2008/09/20 10:23:21 | 00,003,584 | ---- | M] () -- C:\WINDOWS\system32\explore.exe

========== Win32 Services - Non-Microsoft Only ==========

[2008/09/20 13:01:33 | R--D | M] -- . -- (Microsoft Agent [Disabled | Stopped])

[2008/09/20 13:01:33 | R--D | M] -- . -- (nservice [Disabled | Stopped])

========== Driver Services - Non-Microsoft Only ==========

File not found -- C:\WINDOWS\System32\drivers\orvhgp.sys -- (bmdc [boot | Stopped])

[2008/08/24 00:40:42 | 00,085,969 | ---- | M] (GMER) -- C:\WINDOWS\system32\drivers\gmer.sys -- (gmer [On_Demand | Stopped])

[2008/09/15 07:53:48 | 00,014,640 | ---- | M] () -- C:\WINDOWS\system32\drivers\HBKernel32.sys -- (HBKernel32 [boot | Running])

[2008/09/20 10:23:20 | 00,039,920 | ---- | M] () -- C:\WINDOWS\system32\drivers\HBKernel.sys -- (HBKernel [boot | Running])

========== Internet Explorer ==========

HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome

HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie

HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm

HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com

HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com

HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm

HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com

HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus7.hpwis.com/

HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus7.hpwis.com/

HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\System32\blank.htm

HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com

HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

HKU\S-1-5-19\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

HKU\S-1-5-20\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

HKU\S-1-5-21-442785047-2655992494-1152365243-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus7.hpwis.com/

HKU\S-1-5-21-442785047-2655992494-1152365243-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus7.hpwis.com/

HKU\S-1-5-21-442785047-2655992494-1152365243-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\System32\blank.htm

HKU\S-1-5-21-442785047-2655992494-1152365243-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com

HKU\S-1-5-21-442785047-2655992494-1152365243-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com

HKU\S-1-5-21-442785047-2655992494-1152365243-1003\S-1-5-21-442785047-2655992494-1152365243-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

O1 HOSTS File: (205005 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts

O1 - Hosts: 127.1 localhost

O1 - Hosts: 127.1 vt0r48p760.cn

O1 - Hosts: 127.1 www.1txx.com

O1 - Hosts: 127.1 www.myovec.cn

O1 - Hosts: 127.1 po.uc-us.cn

O1 - Hosts: 127.1 219.139.83.20

O1 - Hosts: 127.1 www.msj007.cn

O1 - Hosts: 127.1 www.wyf009.cn

O1 - Hosts: 127.1 219.153.71.185

O1 - Hosts: 127.1 59.34.148.68

O1 - Hosts: 127.1 208.43.165.86

O1 - Hosts: 127.1 208.43.166.171

O1 - Hosts: 127.1 219.153.71.185

O1 - Hosts: 127.1 61.164.140.39

O1 - Hosts: 127.1 www.dsabh.cnwww.dsabh.cn

O1 - Hosts: 127.1 cwk1237.3322.org

O1 - Hosts: 127.1 www.woaigan.com

O1 - Hosts: 127.1 munchkin.marketo.net

O1 - Hosts: 127.1 post.marketo.net

O1 - Hosts: 127.1 www.mv2z.cn

O1 - Hosts: 127.1 www.91vva.cn

O1 - Hosts: 127.1 www.wq9q.cn

O1 - Hosts: 127.1 facaizhifuok.cn

O1 - Hosts: 127.1 www.wo9188.cn

O1 - Hosts: 127.1 a.woaigan.com

O1 - Hosts: 9237 more lines...

O2 - BHO: (ThunderHlpObj Class) - {97421D0D-E07F-40DF-8F07-99597B9585AD} - C:\WINDOWS\Downloaded Program Files\ThunderAdvise.dll ()

O3 - HKLM\..\Toolbar: (&Radio) - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx ()

O3 - HKCU\..\Toolbar: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - Reg Error: Key does not exist or could not be opened. File not found

O3 - HKCU\..\Toolbar: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - Reg Error: Key does not exist or could not be opened. File not found

O3 - HKCU\..\Toolbar: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - Reg Error: Key does not exist or could not be opened. File not found

O3 - HKCU\..\Toolbar: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - Reg Error: Key does not exist or could not be opened. File not found

O3 - HKU\S-1-5-21-442785047-2655992494-1152365243-1003\..\Toolbar: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - Reg Error: Key does not exist or could not be opened. File not found

O3 - HKU\S-1-5-21-442785047-2655992494-1152365243-1003\..\Toolbar: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - Reg Error: Key does not exist or could not be opened. File not found

O3 - HKU\S-1-5-21-442785047-2655992494-1152365243-1003\..\Toolbar: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - Reg Error: Key does not exist or could not be opened. File not found

O3 - HKU\S-1-5-21-442785047-2655992494-1152365243-1003\..\Toolbar: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - Reg Error: Key does not exist or could not be opened. File not found

O4 - HKLM..\Run: [3PMmUpdate] rundll32 "C:\WINDOWS\Update.dll",Main ()

O4 - HKLM..\Run: [HBService] explore.exe ()

O4 - HKLM..\Run: [HBService32] System.exe ()

O4 - HKLM..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE ()

O4 - HKLM..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe" ()

O4 - HKLM..\Run: [WCOLOREAL] "C:\Program Files\Coloreal\coloreal.exe" ()

O4 - Startup: C:\Documents and Settings\Owner\Start Menu\Programs\Startup\Adobe Media Player.lnk = C:\Program Files\Adobe Media Player\Adobe Media Player.exe File not found

O4 - Startup: C:\Documents and Settings\Owner\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE ()

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1

O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 0

O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableTaskMgr = 0

O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableTaskMgr = 1

O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 1

O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableTaskMgr = 1

O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 1

O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKU\S-1-5-21-442785047-2655992494-1152365243-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKU\S-1-5-21-442785047-2655992494-1152365243-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 0

O7 - HKU\S-1-5-21-442785047-2655992494-1152365243-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableTaskMgr = 0

O9 - Extra Button: @shdoclc.dll,-866 - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\Web\related.htm ()

O9 - Extra 'Tools' menuitem : @shdoclc.dll,-864 - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\Web\related.htm ()

O15 - HKCU\..Trusted Sites: (msn in My Computer)

O15 - HKU\S-1-5-21-442785047-2655992494-1152365243-1003\..Trusted Sites: (msn in My Computer)

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://go.microsoft.com/fwlink/?linkid=39204 (Windows Genuine Advantage Validation Tool)

O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab (ActiveScan 2.0 Installer Class)

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://www.update.microsoft.com/windowsupd...b?1219522215203 (WUWebControl Class)

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/products/plugin/1.3.1/...-131_02-win.cab (Java Plug-in 1.3.1_02)

O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flash...t/ultrashim.cab (Reg Error: Key does not exist or could not be opened.)

O16 - DPF: {CAFEEFAC-0013-0001-0002-ABCDEFFEDCBA} http://java.sun.com/products/plugin/1.3.1/...-131_02-win.cab (Java Plug-in 1.3.1_02)

O16 - DPF: {CAFEEFAC-0014-0000-0001-ABCDEFFEDCBA} http://java.sun.com/products/plugin/autodl..._4_0_01-win.cab (Java Plug-in 1.4.0_01)

O16 - DPF: DirectAnimation Java Classes file://C:\WINDOWS\Java\classes\dajava.cab (Reg Error: Key does not exist or could not be opened.)

O16 - DPF: Microsoft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key does not exist or could not be opened.)

O18 - Protocol\Handler: - ipp - No CLSID value found

O18 - Protocol\Handler: - msdaipp - No CLSID value found

O18 - Protocol\Handler: - vnd.ms.radio - C:\WINDOWS\system32\msdxm.ocx ()

O20 - See sections below for AppInitDlls and Winlogon settings

O21 - SSODL: bpoyvbfz.dll - {434FA69C-5F0A-42e1-82B8-10AF2C8E53C6}C:\WINDOWS\system32\bpoyvbfz.dll ()

O21 - SSODL: hultwmtu.dll - {D3112B69-A745-4805-874E-ABD480EA1299}C:\WINDOWS\system32\hultwmtu.dll ()

O21 - SSODL: mabsowpl.dll - {434FA69C-5F0A-42e1-82B8-10AF2C8E53C6}C:\WINDOWS\system32\bpoyvbfz.dll ()

O21 - SSODL: sysocmgr - {DA1DE019-A6A8-ED40-4B87-248B2A93DE99}C:\WINDOWS\sysocmgr.dll (Microsoft Corporation)

O21 - SSODL: ThunderAdvise - {97421D0D-E07F-40DF-8F07-99597B9585AD}C:\WINDOWS\Downloaded Program Files\ThunderAdvise.dll ()

O21 - SSODL: tvxlrqso.dll - {EB9660D8-E1CD-4ff0-B4A9-00CD907F928A}C:\WINDOWS\system32\tvxlrqso.dll ()

========== AppInit_DLLs ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"AppInit_Dlls" = aaa.dll,HBmhly.dll

>File not found --

>[2008/09/19 12:59:22 | 00,019,456 | ---- | M] () -- C:\WINDOWS\system32\HBmhly.dll

========== Shell Execute Hooks ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]

"{00240024-0024-0024-0024-00240024BB15}" (HKLM) -- Reg Error: Key does not exist or could not be opened. File not found

"{2CB77746-8ECC-40ca-8217-10CA8BE5EFC8}" (HKLM) -- Reg Error: Key does not exist or could not be opened. File not found

"{434FA69C-5F0A-42e1-82B8-10AF2C8E53C6}" (HKLM) -- C:\WINDOWS\system32\bpoyvbfz.dll ()

"{6B9FEAD7-4319-4312-AB05-D8C9CD255BFE}" (HKLM) -- Reg Error: Key does not exist or could not be opened. File not found

"{71A78CD4-E470-4a18-8457-E0E0283DD507}" (HKLM) -- Reg Error: Key does not exist or could not be opened. File not found

"{76D44356-B494-443a-BEDC-AA68DE4255E6}" (HKLM) -- Reg Error: Key does not exist or could not be opened. File not found

"{7A6DF30E-D0F2-446f-B4F0-BF4232D60E07}" (HKLM) -- Reg Error: Key does not exist or could not be opened. File not found

"{898E02AB-9372-4a2c-9C4A-FFE1AF61097F}" (HKLM) -- Reg Error: Key does not exist or could not be opened. File not found

"{9E8287B0-0F3A-48ae-99C5-A6E0AAC36BC5}" (HKLM) -- Reg Error: Key does not exist or could not be opened. File not found

"{A2C3BA54-DF75-4881-8EB3-E54B26BBBBC9}" (HKLM) -- Reg Error: Key does not exist or could not be opened. File not found

"{BB4E3499-0132-4d3f-849A-2BE1B26D84E1}" (HKLM) -- Reg Error: Key does not exist or could not be opened. File not found

"{D3112B69-A745-4805-874E-ABD480EA1299}" (HKLM) -- C:\WINDOWS\system32\hultwmtu.dll ()

"{DA56B183-A731-402b-9235-2CB8803E212D}" (HKLM) -- Reg Error: Key does not exist or could not be opened. File not found

"{E0F3526A-4165-4589-80CD-50B6FBAC3BDA}" (HKLM) -- Reg Error: Key does not exist or could not be opened. File not found

"{EB9660D8-E1CD-4ff0-B4A9-00CD907F928A}" (HKLM) -- C:\WINDOWS\system32\tvxlrqso.dll ()

"{F0930A2F-D971-4828-8209-B7DFD266ED44}" (HKLM) -- Reg Error: Key does not exist or could not be opened. File not found

========== Safeboot Options ==========

"AlternateShell" = cmd.exe

========== CDRom AutoRun Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom]

"AutoRun" = 1

========== Autorun Files on Drives ==========

AUTOEXEC.BAT []

[2003/01/24 10:07:32 | 00,000,000 | ---- | M] () -- C:\AUTOEXEC.BAT -- [ NTFS ]

AUTOEXEC.BAT []

[2001/07/28 07:07:38 | 00,000,000 | RHS- | M] () -- D:\AUTOEXEC.BAT -- [ FAT32 ]

Autorun.inf [[AUTORUN] | OPEN=Info.exe folder.htt 480 480 | ]

[2002/09/11 04:02:32 | 00,000,045 | -HS- | M] () -- D:\Autorun.inf -- [ FAT32 ]

========== Files/Folders - Created Within 30 days ==========

[2 C:\WINDOWS\*.tmp files]

[2008/09/20 10:28:17 | 00,008,072 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\hijackthis 9 20

[2008/09/20 10:23:22 | 02,180,896 | ---- | C] () -- C:\WINDOWS\System32\bpoyvbfz.dll

[2008/09/20 10:23:21 | 00,003,584 | ---- | C] () -- C:\WINDOWS\System32\explore.exe

[2008/09/20 10:23:20 | 00,039,920 | ---- | C] () -- C:\WINDOWS\System32\drivers\HBKernel.sys

[2008/09/20 10:20:17 | 00,014,848 | ---- | C] () -- C:\WINDOWS\System32\HBQQSG.dll

[2008/09/19 15:47:21 | 23,440,9984 | -HS- | C] () -- C:\hiberfil.sys

[2008/09/19 15:39:40 | 00,053,248 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\linkinfo.dll

[2008/09/19 15:39:30 | 00,024,576 | ---- | C] () -- C:\WINDOWS\System32\HBCT.dll

[2008/09/19 15:39:30 | 00,016,384 | ---- | C] () -- C:\WINDOWS\System32\HBXY2.dll

[2008/09/19 15:39:29 | 00,024,576 | ---- | C] () -- C:\WINDOWS\System32\HB1000Y.dll

[2008/09/19 15:39:26 | 02,574,764 | ---- | C] () -- C:\WINDOWS\System32\hultwmtu.dll

[2008/09/19 13:00:05 | 00,015,360 | ---- | C] () -- C:\WINDOWS\System32\HBQQFFO.dll

[2008/09/19 13:00:05 | 00,005,120 | ---- | C] () -- C:\WINDOWS\System32\System.exe

[2008/09/19 13:00:03 | 00,028,672 | ---- | C] () -- C:\WINDOWS\System32\wllame.dll

[2008/09/19 12:59:58 | 02,124,716 | ---- | C] () -- C:\WINDOWS\System32\wtgdgmmw.dll

[2008/09/19 12:59:51 | 02,630,060 | ---- | C] () -- C:\WINDOWS\System32\zxxcwpnz.dll

[2008/09/19 12:59:50 | 01,049,888 | ---- | C] () -- C:\WINDOWS\System32\avicapwm.dll

[2008/09/19 12:59:41 | 02,359,724 | ---- | C] () -- C:\WINDOWS\System32\tvxlrqso.dll

[2008/09/19 12:59:39 | 02,175,636 | ---- | C] () -- C:\WINDOWS\System32\mabsowpl.dll

[2008/09/19 12:59:27 | 02,182,060 | ---- | C] () -- C:\WINDOWS\System32\comuidsg.dll

[2008/09/19 12:59:22 | 00,019,456 | ---- | C] () -- C:\WINDOWS\System32\HBmhly.dll

[2008/09/19 12:59:09 | 00,019,456 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\sysocmgr.dll

[2008/09/19 12:59:02 | 00,229,376 | ---- | C] () -- C:\WINDOWS\Update.dll

[2008/09/18 19:03:33 | 00,024,576 | ---- | C] () -- C:\WINDOWS\System32\HBCONQUER.dll

[2008/09/18 19:03:16 | 00,024,576 | ---- | C] () -- C:\WINDOWS\System32\HBFY.dll

[2008/09/17 20:17:37 | 00,011,776 | ---- | C] () -- C:\WINDOWS\System32\pewirek.exe

[2008/09/17 20:01:39 | 02,220,460 | ---- | C] () -- C:\WINDOWS\System32\nwapi32dj.dll

[2008/09/17 16:30:05 | 00,011,776 | ---- | C] () -- C:\WINDOWS\System32\comboausk.exe

[2008/09/17 16:30:03 | 00,028,672 | ---- | C] () -- C:\WINDOWS\System32\comboaus.dll

[2008/09/16 18:44:12 | 00,140,288 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\rpnrvy.exe

[2008/09/16 18:08:23 | 00,012,288 | ---- | C] () -- C:\WINDOWS\System32\eskislk.exe

[2008/09/16 17:53:01 | 00,140,288 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\nqduxw.exe

[2008/09/16 15:16:52 | 00,140,288 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\gfdmga.exe

[2008/09/15 18:09:06 | 00,012,800 | ---- | C] () -- C:\WINDOWS\System32\jolndyok.exe

[2008/09/15 18:09:05 | 00,024,576 | ---- | C] () -- C:\WINDOWS\System32\jolndyo.dll

[2008/09/15 07:54:16 | 00,008,234 | -HS- | C] () -- C:\WINDOWS\System32\kildh3l.dll

[2008/09/15 07:54:15 | 00,004,410 | ---- | C] () -- C:\WINDOWS\System32\wrm32.dll

[2008/09/15 07:54:07 | 00,024,576 | ---- | C] () -- C:\WINDOWS\System32\catower.dll

[2008/09/15 07:54:04 | 00,024,576 | ---- | C] () -- C:\WINDOWS\System32\pewire.dll

[2008/09/15 07:54:01 | 00,028,672 | ---- | C] () -- C:\WINDOWS\System32\aotoppt.dll

[2008/09/15 07:54:00 | 02,176,660 | ---- | C] () -- C:\WINDOWS\System32\twainyy.dll

[2008/09/15 07:53:54 | 02,609,952 | ---- | C] () -- C:\WINDOWS\System32\adsntzt.dll

[2008/09/15 07:53:49 | 00,024,576 | ---- | C] () -- C:\WINDOWS\System32\HBSOUL.dll

[2008/09/15 07:53:48 | 00,014,640 | ---- | C] () -- C:\WINDOWS\System32\drivers\HBKernel32.sys

[2008/09/15 07:53:46 | 00,024,576 | ---- | C] () -- C:\WINDOWS\System32\johandy.dll

[2008/09/15 07:53:44 | 00,028,672 | ---- | C] () -- C:\WINDOWS\System32\lensch.dll

[2008/09/15 07:53:41 | 02,213,804 | ---- | C] () -- C:\WINDOWS\System32\dispexcb.dll

[2008/09/15 07:53:38 | 02,458,772 | ---- | C] () -- C:\WINDOWS\System32\cliconfgzx.dll

[2008/09/15 07:53:29 | 00,024,576 | ---- | C] () -- C:\WINDOWS\System32\mduaey.dll

[2008/09/15 07:53:23 | 00,028,672 | ---- | C] () -- C:\WINDOWS\System32\eskisl.dll

[2008/09/15 07:53:21 | 00,011,776 | ---- | C] () -- C:\WINDOWS\System32\qxfelk.exe

[2008/09/14 19:07:12 | 00,028,544 | ---- | C] (Panda Security, S.L.) -- C:\WINDOWS\System32\drivers\pavboot.sys

[2008/09/14 09:53:40 | 00,000,054 | ---- | C] () -- C:\WINDOWS\System32\x

[2008/09/14 03:33:05 | 00,201,030 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\lspfix.zip

[2008/09/12 15:00:47 | 00,000,775 | ---- | C] () -- C:\Documents and Settings\Owner\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk

[2008/09/12 15:00:33 | 00,000,619 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\NTREGOPT.lnk

[2008/09/12 15:00:33 | 00,000,600 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\ERUNT.lnk

[2008/09/12 13:41:12 | 00,140,288 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\phqghu.exe

[2008/09/12 12:30:19 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\buq.exe

[2008/09/10 22:31:13 | 00,791,393 | ---- | C] (Lars Hederer ) -- C:\Documents and Settings\Owner\My Documents\erunt-setup.exe

[2008/09/10 13:20:58 | 00,000,608 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\Shortcut to estherbaxter205.lnk

[2008/09/09 17:11:01 | 00,003,000 | -HS- | C] () -- C:\WINDOWS\System32\kildh3l.cfg

[2008/09/07 18:36:19 | 00,028,672 | ---- | C] () -- C:\WINDOWS\System32\micsus.dll

[2008/09/07 13:25:06 | 00,210,097 | ---- | C] () -- C:\WINDOWS\001f407d.exe

[2008/09/07 12:43:57 | 00,008,704 | -HS- | C] () -- C:\WINDOWS\Thumbs.db

@Alternate Data Stream - 0 bytes -> C:\WINDOWS\Thumbs.db:encryptable

[2008/09/01 14:47:55 | 00,010,752 | ---- | C] () -- C:\WINDOWS\DCEBoot.exe

[2008/08/31 23:47:07 | 00,000,000 | RHS- | C] () -- C:\asdf

[2008/08/30 22:56:21 | 00,002,017 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\15 56 before

[2008/08/30 22:40:58 | 00,002,058 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\10 40 before

[2008/08/30 19:20:41 | 00,002,830 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\7 20 before log

[2008/08/30 00:02:15 | 00,000,022 | ---- | C] () -- C:\WINDOWS\System32\msCMTsrvc.zip

[2008/08/29 22:27:34 | 00,001,742 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\HijackThis.lnk

[2008/08/29 22:22:27 | 00,001,170 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\10 22 log before

[2008/08/26 19:30:03 | 00,024,576 | ---- | C] () -- C:\WINDOWS\System32\rmchamp.dll

[2008/08/26 10:57:08 | 00,000,750 | ---- | C] () -- C:\Documents and Settings\Owner\Start Menu\Programs\Startup\Adobe Media Player.lnk

[2008/08/26 10:57:08 | 00,000,675 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk

[2008/08/25 13:33:43 | 00,090,112 | ---- | C] () -- C:\WINDOWS\System32\uyl.exe

[2008/08/25 12:34:04 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\oyj.exe

[2008/08/24 12:57:30 | 00,667,648 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\Norton_Removal_Tool.exe

[2008/08/24 00:40:48 | 00,000,250 | ---- | C] () -- C:\WINDOWS\gmer.ini

[2008/08/24 00:40:42 | 00,884,736 | ---- | C] () -- C:\WINDOWS\gmer.dll

[2008/08/24 00:40:42 | 00,085,969 | ---- | C] (GMER) -- C:\WINDOWS\System32\drivers\gmer.sys

[2008/08/24 00:40:42 | 00,000,080 | ---- | C] () -- C:\WINDOWS\gmer_uninstall.cmd

[2008/08/24 00:40:41 | 00,811,008 | ---- | C] () -- C:\WINDOWS\gmer.exe

[2008/08/24 00:39:31 | 00,747,873 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\gmer.zip

[2008/08/23 16:01:52 | 00,024,576 | ---- | C] () -- C:\WINDOWS\System32\kandaof.dll

[2008/08/23 16:01:43 | 00,028,672 | ---- | C] () -- C:\WINDOWS\System32\cupops.dll

[2008/08/23 16:00:11 | 00,000,008 | ---- | C] () -- C:\WINDOWS\System32\Update.dat

[2008/08/22 17:38:10 | 00,000,704 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk

[2008/08/22 17:27:14 | 01,119,784 | ---- | C] (Microsoft Corporation) -- C:\Documents and Settings\Owner\Desktop\MGADiag.exe

[2008/08/21 22:22:32 | 00,000,032 | ---- | C] () -- C:\WINDOWS\System32\thxcfg.ini

========== Files - Modified Within 30 days ==========

[1 C:\WINDOWS\System32\*.tmp files]

[2 C:\WINDOWS\*.tmp files]

[2008/09/20 10:28:17 | 00,008,072 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\hijackthis 9 20

[2008/09/20 10:26:44 | 00,205,005 | R-S- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts

[2008/09/20 10:23:22 | 02,180,896 | ---- | M] () -- C:\WINDOWS\System32\bpoyvbfz.dll

[2008/09/20 10:23:21 | 00,028,672 | ---- | M] () -- C:\WINDOWS\System32\eskisl.dll

[2008/09/20 10:23:21 | 00,012,288 | ---- | M] () -- C:\WINDOWS\System32\eskislk.exe

[2008/09/20 10:23:21 | 00,003,584 | ---- | M] () -- C:\WINDOWS\System32\explore.exe

[2008/09/20 10:23:20 | 00,039,920 | ---- | M] () -- C:\WINDOWS\System32\drivers\HBKernel.sys

[2008/09/20 10:23:20 | 00,000,008 | ---- | M] () -- C:\WINDOWS\System32\Update.dat

[2008/09/20 10:23:19 | 00,019,456 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\sysocmgr.dll

[2008/09/20 10:20:17 | 00,014,848 | ---- | M] () -- C:\WINDOWS\System32\HBQQSG.dll

[2008/09/20 10:18:10 | 00,000,248 | ---- | M] () -- C:\WINDOWS\System\hpsysdrv.dat

[2008/09/20 10:18:06 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT

[2008/09/20 10:18:02 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat

[2008/09/20 10:18:01 | 23,440,9984 | -HS- | M] () -- C:\hiberfil.sys

[2008/09/19 15:39:40 | 00,053,248 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\linkinfo.dll

[2008/09/19 15:39:30 | 00,024,576 | ---- | M] () -- C:\WINDOWS\System32\HBCT.dll

[2008/09/19 15:39:30 | 00,016,384 | ---- | M] () -- C:\WINDOWS\System32\HBXY2.dll

[2008/09/19 15:39:29 | 00,024,576 | ---- | M] () -- C:\WINDOWS\System32\HB1000Y.dll

[2008/09/19 15:39:28 | 00,024,576 | ---- | M] () -- C:\WINDOWS\System32\HBSOUL.dll

[2008/09/19 15:39:26 | 02,574,764 | ---- | M] () -- C:\WINDOWS\System32\hultwmtu.dll

[2008/09/19 13:00:07 | 00,024,576 | ---- | M] () -- C:\WINDOWS\System32\HBFY.dll

[2008/09/19 13:00:05 | 00,015,360 | ---- | M] () -- C:\WINDOWS\System32\HBQQFFO.dll

[2008/09/19 13:00:05 | 00,005,120 | ---- | M] () -- C:\WINDOWS\System32\System.exe

[2008/09/19 13:00:04 | 00,008,234 | -HS- | M] () -- C:\WINDOWS\System32\kildh3l.dll

[2008/09/19 13:00:04 | 00,004,410 | ---- | M] () -- C:\WINDOWS\System32\wrm32.dll

[2008/09/19 13:00:04 | 00,003,000 | -HS- | M] () -- C:\WINDOWS\System32\kildh3l.cfg

[2008/09/19 13:00:03 | 00,028,672 | ---- | M] () -- C:\WINDOWS\System32\wllame.dll

[2008/09/19 13:00:02 | 00,024,576 | ---- | M] () -- C:\WINDOWS\System32\catower.dll

[2008/09/19 13:00:00 | 02,124,716 | ---- | M] () -- C:\WINDOWS\System32\wtgdgmmw.dll

[2008/09/19 12:59:56 | 00,028,672 | ---- | M] () -- C:\WINDOWS\System32\comboaus.dll

[2008/09/19 12:59:53 | 00,024,576 | ---- | M] () -- C:\WINDOWS\System32\pewire.dll

[2008/09/19 12:59:52 | 00,028,672 | ---- | M] () -- C:\WINDOWS\System32\aotoppt.dll

[2008/09/19 12:59:51 | 02,630,060 | ---- | M] () -- C:\WINDOWS\System32\zxxcwpnz.dll

[2008/09/19 12:59:50 | 01,049,888 | ---- | M] () -- C:\WINDOWS\System32\avicapwm.dll

[2008/09/19 12:59:49 | 00,024,576 | ---- | M] () -- C:\WINDOWS\System32\johandy.dll

[2008/09/19 12:59:47 | 00,024,576 | ---- | M] () -- C:\WINDOWS\System32\jolndyo.dll

[2008/09/19 12:59:45 | 00,028,672 | ---- | M] () -- C:\WINDOWS\System32\cupops.dll

[2008/09/19 12:59:44 | 00,028,672 | ---- | M] () -- C:\WINDOWS\System32\micsus.dll

[2008/09/19 12:59:42 | 00,028,672 | ---- | M] () -- C:\WINDOWS\System32\lensch.dll

[2008/09/19 12:59:41 | 02,359,724 | ---- | M] () -- C:\WINDOWS\System32\tvxlrqso.dll

[2008/09/19 12:59:39 | 02,175,636 | ---- | M] () -- C:\WINDOWS\System32\mabsowpl.dll

[2008/09/19 12:59:27 | 02,182,060 | ---- | M] () -- C:\WINDOWS\System32\comuidsg.dll

[2008/09/19 12:59:22 | 00,019,456 | ---- | M] () -- C:\WINDOWS\System32\HBmhly.dll

[2008/09/19 12:59:02 | 00,229,376 | ---- | M] () -- C:\WINDOWS\Update.dll

[2008/09/19 12:40:52 | 00,025,065 | ---- | M] () -- C:\WINDOWS\System32\wmpscheme.xml

[2008/09/18 19:03:33 | 00,024,576 | ---- | M] () -- C:\WINDOWS\System32\HBCONQUER.dll

[2008/09/17 20:17:36 | 00,011,776 | ---- | M] () -- C:\WINDOWS\System32\pewirek.exe

[2008/09/17 20:01:39 | 02,220,460 | ---- | M] () -- C:\WINDOWS\System32\nwapi32dj.dll

[2008/09/17 20:01:29 | 00,024,576 | ---- | M] () -- C:\WINDOWS\System32\mduaey.dll

[2008/09/17 19:49:20 | 00,140,288 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\phqghu.exe

[2008/09/17 16:30:03 | 00,011,776 | ---- | M] () -- C:\WINDOWS\System32\comboausk.exe

[2008/09/16 18:44:14 | 00,140,288 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\rpnrvy.exe

[2008/09/16 17:53:04 | 00,140,288 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\nqduxw.exe

[2008/09/16 15:16:56 | 00,140,288 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\gfdmga.exe

[2008/09/15 18:09:05 | 00,012,800 | ---- | M] () -- C:\WINDOWS\System32\jolndyok.exe

[2008/09/15 07:54:01 | 02,176,660 | ---- | M] () -- C:\WINDOWS\System32\twainyy.dll

[2008/09/15 07:53:54 | 02,609,952 | ---- | M] () -- C:\WINDOWS\System32\adsntzt.dll

[2008/09/15 07:53:48 | 00,014,640 | ---- | M] () -- C:\WINDOWS\System32\drivers\HBKernel32.sys

[2008/09/15 07:53:41 | 02,213,804 | ---- | M] () -- C:\WINDOWS\System32\dispexcb.dll

[2008/09/15 07:53:38 | 02,458,772 | ---- | M] () -- C:\WINDOWS\System32\cliconfgzx.dll

[2008/09/15 07:53:20 | 00,011,776 | ---- | M] () -- C:\WINDOWS\System32\qxfelk.exe

[2008/09/14 20:50:45 | 00,000,250 | ---- | M] () -- C:\WINDOWS\gmer.ini

[2008/09/14 16:16:06 | 00,040,448 | ---- | M] () -- C:\WINDOWS\System32\ftp.exe

[2008/09/14 16:16:06 | 00,040,448 | ---- | M] () -- C:\WINDOWS\System32\dllcache\ftp.exe

[2008/09/14 09:53:40 | 00,000,054 | ---- | M] () -- C:\WINDOWS\System32\x

[2008/09/14 06:48:49 | 00,000,000 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\tmsshf.bin

[2008/09/14 06:35:51 | 00,010,752 | ---- | M] () -- C:\WINDOWS\DCEBoot.exe

[2008/09/14 03:33:06 | 00,201,030 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\lspfix.zip

[2008/09/12 15:00:47 | 00,000,775 | ---- | M] () -- C:\Documents and Settings\Owner\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk

[2008/09/12 15:00:33 | 00,000,619 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\NTREGOPT.lnk

[2008/09/12 15:00:33 | 00,000,600 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\ERUNT.lnk

[2008/09/12 12:30:19 | 00,000,000 | ---- | M] () -- C:\WINDOWS\System32\buq.exe

[2008/09/11 10:07:32 | 00,000,800 | ---- | M] () -- C:\WINDOWS\win.ini

[2008/09/10 22:31:23 | 00,791,393 | ---- | M] (Lars Hederer ) -- C:\Documents and Settings\Owner\My Documents\erunt-setup.exe

[2008/09/10 13:20:58 | 00,000,608 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Shortcut to estherbaxter205.lnk

[2008/09/07 13:25:09 | 00,210,097 | ---- | M] () -- C:\WINDOWS\001f407d.exe

[2008/09/07 12:43:57 | 00,008,704 | -HS- | M] () -- C:\WINDOWS\Thumbs.db

@Alternate Data Stream - 0 bytes -> C:\WINDOWS\Thumbs.db:encryptable

[2008/09/06 17:21:35 | 00,416,732 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI

[2008/09/06 17:21:35 | 00,365,076 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat

[2008/09/06 17:21:35 | 00,046,080 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat

[2008/09/05 16:33:30 | 00,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl

[2008/08/31 23:47:07 | 00,000,000 | RHS- | M] () -- C:\asdf

[2008/08/30 22:56:21 | 00,002,017 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\15 56 before

[2008/08/30 22:40:58 | 00,002,058 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\10 40 before

[2008/08/30 22:05:00 | 00,016,896 | ---- | M] () -- C:\myspace promotion.wps

[2008/08/30 19:20:41 | 00,002,830 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\7 20 before log

[2008/08/30 00:03:04 | 00,000,022 | ---- | M] () -- C:\WINDOWS\System32\msCMTsrvc.zip

[2008/08/29 22:27:34 | 00,001,742 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\HijackThis.lnk

[2008/08/29 22:22:28 | 00,001,170 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\10 22 log before

[2008/08/28 10:00:32 | 00,024,576 | ---- | M] () -- C:\WINDOWS\System32\rmchamp.dll

[2008/08/28 10:00:31 | 00,024,576 | ---- | M] () -- C:\WINDOWS\System32\kandaof.dll

[2008/08/26 10:57:13 | 00,000,227 | ---- | M] () -- C:\WINDOWS\system.ini

[2008/08/26 10:57:13 | 00,000,182 | RHS- | M] () -- C:\boot.ini

[2008/08/26 10:23:09 | 00,024,648 | ---- | M] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

[2008/08/25 13:33:43 | 00,090,112 | ---- | M] () -- C:\WINDOWS\System32\uyl.exe

[2008/08/25 12:34:04 | 00,000,000 | ---- | M] () -- C:\WINDOWS\System32\oyj.exe

[2008/08/24 16:32:00 | 00,000,750 | ---- | M] () -- C:\Documents and Settings\Owner\Start Menu\Programs\Startup\Adobe Media Player.lnk

[2008/08/24 12:57:39 | 00,667,648 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\Norton_Removal_Tool.exe

[2008/08/24 00:40:42 | 00,884,736 | ---- | M] () -- C:\WINDOWS\gmer.dll

[2008/08/24 00:40:42 | 00,085,969 | ---- | M] (GMER) -- C:\WINDOWS\System32\drivers\gmer.sys

[2008/08/24 00:40:42 | 00,000,080 | ---- | M] () -- C:\WINDOWS\gmer_uninstall.cmd

[2008/08/24 00:39:41 | 00,747,873 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\gmer.zip

[2008/08/23 21:42:27 | 00,000,704 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk

[2008/08/22 23:36:04 | 02,114,040 | -H-- | M] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\IconCache.db

[2008/08/22 17:27:14 | 01,119,784 | ---- | M] (Microsoft Corporation) -- C:\Documents and Settings\Owner\Desktop\MGADiag.exe

[2008/08/21 22:22:50 | 00,000,032 | ---- | M] () -- C:\WINDOWS\System32\thxcfg.ini

[2008/08/21 20:46:21 | 00,039,936 | ---- | M] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

< End of report >

Share this post


Link to post
Share on other sites

OTListIt Extras logfile created on: 9/20/2008 1:02:35 PM - Run Owner

OTListIt by OldTimer - Version 1.0.4.0 Folder = C:\Documents and Settings\Owner\My Documents

Windows XP Home Edition Service Pack 1 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 6.0.2800.1106)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

223.48 Mb Total Physical Memory | 80.60 Mb Available Physical Memory | 36.06% Memory free

547.12 Mb Paging File | 417.17 Mb Available in Paging File | 76.25% Paging File free

Paging file location(s): C:\pagefile.sys 336 672;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files

Drive C: | 33.40 Gb Total Space | 11.80 Gb Free Space | 35.32% Space Free | Partition Type: NTFS

Drive D: | 3.89 Gb Total Space | 0.74 Gb Free Space | 18.93% Space Free | Partition Type: FAT32

E: Drive not present or media not loaded

F: Drive not present or media not loaded

G: Drive not present or media not loaded

H: Drive not present or media not loaded

I: Drive not present or media not loaded

Computer Name: YOUR-N3TY7ATHD5

Current User Name: Owner

Logged in as Administrator.

Current Boot Mode: Normal

Scan Mode: All users

Whitelist: On

Files within: 30 Days

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

"UpdatesDisableNotify" = 1

"AntiVirusDisableNotify" = 1

"FirewallDisableNotify" = 1

"AntiVirusOverride" = 1

"FirewallOverride" = 1

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

"{01F9D88C-3C86-4E82-840A-101A3221F67A}" = Microsoft Money 2003

"{02B42D23-10F2-4862-ADA4-3DF1EA0021B2}" = Microsoft Money 2003 System Pack

"{09DA4F91-2A09-4232-AB8C-6BC740096DE3}" = RecordNow Update Manager

"{14589F05-C658-4594-9429-D437BA688686}" = IntelliMover Data Transfer Demo

"{197A3012-8C85-4FD3-AB66-9EC7E13DB92E}" = Adobe AIR

"{1F7CCFA3-D926-4882-B2A5-A0217ED25597}" = PC-Doctor for Windows

"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP

"{764D06D8-D8DE-411E-A1C8-D9E9380F8A84}" = Microsoft Works 7.0

"{7CF31609-270B-11D6-9445-000102308676}" = Java 2 Runtime Environment, SE v1.4.0_01

"{8214CC02-6271-4DC8-B8DD-779933450264}" = RecordNow

"{865917D2-33F4-4223-BDCD-C7DA958C216C}" = Dark Orbit

"{8A708DD8-A5E6-11D4-A706-000629E95E20}" = Intel® Extreme Graphics Driver Software

"{8D5D99B8-DFA2-4018-ADE9-A6B83E655C65}" =

"{B43357AA-3A6D-4D94-B56E-43C44D09E548}" = Microsoft .NET Framework (English) v1.0.3705

"{BDE90251-93EB-4F6A-89D8-086E2D91DC56}" = Coloreal

"{EEF397AC-DAEF-4C04-90A9-5B2BD31875DC}" = Simple Installer - Multilanguage Version

"{F61F2821-694C-475F-99AB-6AF2EFDF40FD}" = Quicken 2003 New User Edition

"ActiveScan 2.0" = Panda ActiveScan 2.0

"Adobe Acrobat 5.0" = Adobe Acrobat 5.0

"Adobe AIR" = Adobe AIR

"Adobe Flash Player ActiveX" = Adobe Flash Player ActiveX

"America Online us" = America Online

"AolCoach" = AOL Coach Version 1.0(Build:20011028.1)

"CompuServe us" = CompuServe

"ERUNT_is1" = ERUNT 1.1j

"HijackThis" = HijackThis 2.0.2

"Inactive HP Printer Drivers (Remove only)" = Inactive HP Printer Drivers (Remove only)

"InstallShield_{F61F2821-694C-475F-99AB-6AF2EFDF40FD}" = Quicken 2003 New User Edition

"Java Web Start" = Java Web Start

"JRE 1.3.1_02" = Java 2 Runtime Environment Standard Edition v1.3.1_02

"KBD" = KBD

"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware

"Microsoft .NET Framework Full v1.0.3705 (1033)" = Microsoft .NET Framework (English) v1.0.3705

"Netscape (7.0)" = Netscape (7.0)

"NVIDIA" = NVIDIA Windows 2000/XP Display Drivers

"PS2" = PS2

"Python 2.2 combined Win32 extensions" = Python 2.2 combined Win32 extensions

"Q327979" = Windows XP Hotfix (SP2) Q327979

"q330638" = Windows XP Hotfix (SP2) [see q330638 for more information]

"Q331958" = Windows XP Hotfix (SP2) Q331958

"RealPlayer 6.0" = RealOne Player

"S3Display" = S3Display

"S3Gamma2" = S3Gamma2

"S3Info2" = S3Info2

"S3Overlay" = S3Overlay

"ViewpointMediaPlayer" = Viewpoint Media Player (Remove Only)

"WildTangentDDC" = WildTangent Channel Manager

========== Last 10 Event Log Errors ==========

[ Application Events ]

Error - 9/14/2008 9:16:38 AM | Computer Name = YOUR-N3TY7ATHD5 | Source = Winlogon | ID = 1015

Description = A critical system process, C:\WINDOWS\system32\lsass.exe, failed with

status code 00000000. The machine must now be restarted.

Error - 9/14/2008 9:52:57 AM | Computer Name = YOUR-N3TY7ATHD5 | Source = Application Error | ID = 1000

Description = Faulting application , version 0.0.0.0, faulting module unknown, version

0.0.0.0, fault address 0x00000000.

Error - 9/14/2008 3:39:23 PM | Computer Name = YOUR-N3TY7ATHD5 | Source = Winlogon | ID = 1015

Description = A critical system process, C:\WINDOWS\system32\lsass.exe, failed with

status code 00000000. The machine must now be restarted.

Error - 9/15/2008 12:26:58 PM | Computer Name = YOUR-N3TY7ATHD5 | Source = Application Hang | ID = 1002

Description = Hanging application IEXPLORE.EXE, version 6.0.2800.1106, hang module

shlwapi.dll, version 6.0.2800.1106, hang address 0x00022277.

Error - 9/16/2008 1:39:38 PM | Computer Name = YOUR-N3TY7ATHD5 | Source = Application Error | ID = 1000

Description = Faulting application iexplore.exe, version 6.0.2800.1106, faulting

module , version 0.0.0.0, fault address 0x00000000.

Error - 9/16/2008 3:17:02 PM | Computer Name = YOUR-N3TY7ATHD5 | Source = Application Error | ID = 1000

Description = Faulting application gfdmga.exe, version 5.1.2600.0, faulting module

gfdmga.exe, version 5.1.2600.0, fault address 0x00028728.

Error - 9/16/2008 4:36:25 PM | Computer Name = YOUR-N3TY7ATHD5 | Source = Application Error | ID = 1000

Description = Faulting application phqghu.exe, version 5.1.2600.0, faulting module

phqghu.exe, version 5.1.2600.0, fault address 0x00028728.

Error - 9/16/2008 6:44:16 PM | Computer Name = YOUR-N3TY7ATHD5 | Source = Application Error | ID = 1000

Description = Faulting application rpnrvy.exe, version 5.1.2600.0, faulting module

rpnrvy.exe, version 5.1.2600.0, fault address 0x00028728.

Error - 9/16/2008 9:55:16 PM | Computer Name = YOUR-N3TY7ATHD5 | Source = Application Error | ID = 1000

Description = Faulting application phqghu.exe, version 5.1.2600.0, faulting module

phqghu.exe, version 5.1.2600.0, fault address 0x00028728.

Error - 9/17/2008 4:28:37 PM | Computer Name = YOUR-N3TY7ATHD5 | Source = Application Error | ID = 1000

Description = Faulting application phqghu.exe, version 5.1.2600.0, faulting module

phqghu.exe, version 5.1.2600.0, fault address 0x00028728.

[ System Events ]

Error - 9/19/2008 5:03:50 PM | Computer Name = YOUR-N3TY7ATHD5 | Source = Service Control Manager | ID = 7000

Description = The mrtRate service failed to start due to the following error: %%2

Error - 9/19/2008 5:03:50 PM | Computer Name = YOUR-N3TY7ATHD5 | Source = Service Control Manager | ID = 7026

Description = The following boot-start or system-start driver(s) failed to load:

Beep

Error - 9/19/2008 6:27:34 PM | Computer Name = YOUR-N3TY7ATHD5 | Source = Service Control Manager | ID = 7000

Description = The mrtRate service failed to start due to the following error: %%2

Error - 9/19/2008 6:27:34 PM | Computer Name = YOUR-N3TY7ATHD5 | Source = Service Control Manager | ID = 7026

Description = The following boot-start or system-start driver(s) failed to load:

Beep

Error - 9/19/2008 7:26:23 PM | Computer Name = YOUR-N3TY7ATHD5 | Source = Service Control Manager | ID = 7000

Description = The mrtRate service failed to start due to the following error: %%2

Error - 9/19/2008 7:26:23 PM | Computer Name = YOUR-N3TY7ATHD5 | Source = Service Control Manager | ID = 7026

Description = The following boot-start or system-start driver(s) failed to load:

Beep

Error - 9/19/2008 9:22:36 PM | Computer Name = YOUR-N3TY7ATHD5 | Source = Service Control Manager | ID = 7000

Description = The mrtRate service failed to start due to the following error: %%2

Error - 9/19/2008 9:22:36 PM | Computer Name = YOUR-N3TY7ATHD5 | Source = Service Control Manager | ID = 7026

Description = The following boot-start or system-start driver(s) failed to load:

Beep

Error - 9/20/2008 10:19:28 AM | Computer Name = YOUR-N3TY7ATHD5 | Source = Service Control Manager | ID = 7000

Description = The mrtRate service failed to start due to the following error: %%2

Error - 9/20/2008 10:19:28 AM | Computer Name = YOUR-N3TY7ATHD5 | Source = Service Control Manager | ID = 7026

Description = The following boot-start or system-start driver(s) failed to load:

Beep

< End of report >

Share this post


Link to post
Share on other sites

Blasted...

Cmoney, update mbam and run it, reboot when it asks you to do so. Then runhijackthis in normal mode and post the log of both of those. For some reason we keep missing the responsible installer....Atleast, That's what I hope is going on.

Share this post


Link to post
Share on other sites

I didnt think real people actually said blasted, I only heard that in movies...

MBAM:

Malwarebytes' Anti-Malware 1.28

Database version: 1182

Windows 5.1.2600 Service Pack 1

9/20/2008 6:57:06 PM

mbam-log-2008-09-20 (18-57-06).txt

Scan type: Quick Scan

Objects scanned: 49586

Time elapsed: 5 minute(s), 35 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 7

Registry Keys Infected: 14

Registry Values Infected: 11

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 29

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

C:\Documents and Settings\Owner\Local Settings\Temp\wmsetup.dll (Trojan.Downloader) -> Delete on reboot.

C:\WINDOWS\AppPatch\DesktopWin.dll (Trojan.Downloader) -> Delete on reboot.

C:\WINDOWS\Downloaded Program Files\ThunderAdvise.dll (Trojan.BHO) -> Delete on reboot.

C:\WINDOWS\system32\tvxlrqso.dll (Spyware.OnlineGames) -> Delete on reboot.

C:\WINDOWS\system32\bpoyvbfz.dll (Spyware.OnlineGames) -> Delete on reboot.

C:\WINDOWS\system32\hultwmtu.dll (Trojan.Agent) -> Delete on reboot.

C:\WINDOWS\system32\HBmhly.dll (Spyware.OnlineGames) -> Delete on reboot.

Registry Keys Infected:

HKEY_CLASSES_ROOT\CLSID\{da191de0-aa86-4ed0-4b87-292a3d48be99} (Trojan.Downloader) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\thunderadvise.thunderhlpobj (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\TypeLib\{6d4c7e08-e021-414c-a42d-ab15a2302196} (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{deef6582-9927-4cbd-897c-6a1f9e8c47de} (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{97421d0d-e07f-40df-8f07-99597b9585ad} (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{97421d0d-e07f-40df-8f07-99597b9585ad} (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\thunderadvise.thunderhlpobj.1 (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{da1de019-a6a8-ed40-4b87-248b2a93de99} (Spyware.OnlineGames) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{eb9660d8-e1cd-4ff0-b4a9-00cd907f928a} (Spyware.OnlineGames) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{434fa69c-5f0a-42e1-82b8-10af2c8e53c6} (Spyware.OnlineGames) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{d3112b69-a745-4805-874e-abd480ea1299} (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\hbkernel (Rootkit.OnlineGames) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\hbkernel (Rootkit.OnlineGames) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\hbkernel (Rootkit.OnlineGames) -> Delete on reboot.

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\desktopwin (Trojan.Downloader) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\thunderadvise (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\sysocmgr (Spyware.OnlineGames) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{eb9660d8-e1cd-4ff0-b4a9-00cd907f928a} (Spyware.OnlineGames) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\tvxlrqso.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{434fa69c-5f0a-42e1-82b8-10af2c8e53c6} (Spyware.OnlineGames) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\mabsowpl.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\bpoyvbfz.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{d3112b69-a745-4805-874e-abd480ea1299} (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\hultwmtu.dll (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\3PMmUpdate (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\Documents and Settings\Owner\Local Settings\Temp\wmsetup.dll (Trojan.Downloader) -> Delete on reboot.

C:\WINDOWS\AppPatch\DesktopWin.dll (Trojan.Downloader) -> Delete on reboot.

C:\WINDOWS\Downloaded Program Files\ThunderAdvise.dll (Trojan.BHO) -> Delete on reboot.

C:\WINDOWS\sysocmgr.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\tvxlrqso.dll (Spyware.OnlineGames) -> Delete on reboot.

C:\WINDOWS\system32\bpoyvbfz.dll (Spyware.OnlineGames) -> Delete on reboot.

C:\WINDOWS\system32\hultwmtu.dll (Trojan.Agent) -> Delete on reboot.

C:\WINDOWS\linkinfo.dll (Trojan.Downloader) -> Delete on reboot.

C:\WINDOWS\system32\wllame.dll (Trojan.OnlineGames) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\drivers\cdralw.sys (Trojan.Alman) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\wmsetup.dll (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\IJIFYLEL\28[1].gif (Spyware.OnlineGames) -> Quarantined and deleted successfully.

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\IJIFYLEL\abb[1].gif (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\IJIFYLEL\b[2].gif (Spyware.OnLineGames) -> Quarantined and deleted successfully.

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\MLIVMJY9\1b[1].gif (Spyware.OnlineGames) -> Quarantined and deleted successfully.

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\MLIVMJY9\26[1].gif (Spyware.OnlineGames) -> Quarantined and deleted successfully.

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\MLIVMJY9\abb[1].gif (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\MLIVMJY9\update[1].gif (Spyware.OnlineGames) -> Quarantined and deleted successfully.

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\PW7UHY51\29[1].gif (Spyware.OnlineGames) -> Quarantined and deleted successfully.

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\PW7UHY51\d[1].gif (Virus.Alman) -> Quarantined and deleted successfully.

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\SROZ4X6N\10[1].gif (Spyware.OnlineGames) -> Quarantined and deleted successfully.

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\SROZ4X6N\27[1].gif (Spyware.OnlineGames) -> Quarantined and deleted successfully.

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\SROZ4X6N\update[1].gif (Spyware.OnlineGames) -> Quarantined and deleted successfully.

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\SROZ4X6N\b[1].gif (Spyware.OnLineGames) -> Quarantined and deleted successfully.

C:\WINDOWS\Update.dll (Trojan.Agent) -> Delete on reboot.

C:\WINDOWS\system32\System.exe (Trojan.Agent) -> Delete on reboot.

C:\WINDOWS\system32\comuidsg.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\HBmhly.dll (Spyware.OnlineGames) -> Delete on reboot.

C:\WINDOWS\system32\drivers\HBKernel.sys (Rootkit.OnlineGames) -> Delete on reboot.

HIJACKTHIS:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 7:00:25 PM, on 9/20/2008

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\VERITAS Software\Update Manager\sgtray.exe

C:\HP\KBD\KBD.EXE

C:\windows\system\hpsysdrv.exe

C:\WINDOWS\wanmpsvc.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus7.hpwis.com/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus7.hpwis.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-qus7.hpwis.com/

O1 - Hosts: 127.1 localhost

O1 - Hosts: 127.1 vt0r48p760.cn

O1 - Hosts: 127.1 www.1txx.com

O1 - Hosts: 127.1 www.myovec.cn

O1 - Hosts: 127.1 po.uc-us.cn

O1 - Hosts: 127.1 219.139.83.20

O1 - Hosts: 127.1 www.msj007.cn

O1 - Hosts: 127.1 www.wyf009.cn

O1 - Hosts: 127.1 219.153.71.185

O1 - Hosts: 127.1 59.34.148.68

O1 - Hosts: 127.1 208.43.165.86

O1 - Hosts: 127.1 208.43.166.171

O1 - Hosts: 127.1 219.153.71.185

O1 - Hosts: 127.1 61.164.140.39

O1 - Hosts: 127.1 www.dsabh.cnwww.dsabh.cn

O1 - Hosts: 127.1 cwk1237.3322.org

O1 - Hosts: 127.1 www.woaigan.com

O1 - Hosts: 127.1 munchkin.marketo.net

O1 - Hosts: 127.1 post.marketo.net

O1 - Hosts: 127.1 www.mv2z.cn

O1 - Hosts: 127.1 www.91vva.cn

O1 - Hosts: 127.1 www.wq9q.cn

O1 - Hosts: 127.1 facaizhifuok.cn

O1 - Hosts: 127.1 www.wo9188.cn

O1 - Hosts: 127.1 a.woaigan.com

O1 - Hosts: 127.1 b.woaigan.com

O1 - Hosts: 127.1 xxx.usxx.info

O1 - Hosts: 127.1 alenxya.1122mb.com

O1 - Hosts: 127.1 www.972se.com

O1 - Hosts: 127.1 972se.com

O1 - Hosts: 127.1 pic.03wyt.com

O1 - Hosts: 127.1 d.03wyt.com

O1 - Hosts: 127.1 xs.03wyt.com

O1 - Hosts: 127.1 www.8jse.net

O1 - Hosts: 127.1 8jse.net

O1 - Hosts: 127.1 www.bmwtvb.cn

O1 - Hosts: 127.1 www.kcuf-09.cn

O1 - Hosts: 127.1 www.dvgdfg4650.com

O1 - Hosts: 127.1 www.kcuf-08.cn

O1 - Hosts: 127.1 www.kcuf-11.cn

O1 - Hosts: 127.1 www.kcuf-12.cn

O1 - Hosts: 127.1 1aa1aa.com

O1 - Hosts: 127.1 xx.avno3.com

O1 - Hosts: 127.1 xxx.avno5.com

O1 - Hosts: 127.1 www.avno7.com

O1 - Hosts: 127.1 avno7.com

O1 - Hosts: 127.1 ok.avno4.com

O1 - Hosts: 127.1 ok.avno5.com

O1 - Hosts: 127.1 ok.avno6.com

O1 - Hosts: 127.1 ok.avno7.com

O1 - Hosts: 127.1 ok.avno9.com

O1 - Hosts: 127.1 avno1.com

O1 - Hosts: 127.1 avno3.com

O1 - Hosts: 127.1 avno4.com

O1 - Hosts: 127.1 aikanav.com

O1 - Hosts: 127.1 link.selink.org

O1 - Hosts: 127.1 www.avno6.com

O1 - Hosts: 127.1 avno6.com

O1 - Hosts: 127.1 4.chibbs.info

O1 - Hosts: 127.1 bbs.chibbs.info

O1 - Hosts: 127.1 aa.ss99.biz

O1 - Hosts: 127.1 se.ss99.biz

O1 - Hosts: 127.1 aa.sxlk.net

O1 - Hosts: 127.1 se.sxlk99.com

O1 - Hosts: 127.1 www.88xj.net

O1 - Hosts: 127.1 88xj.net

O1 - Hosts: 127.1 www.99xj.net

O1 - Hosts: 127.1 99xj.net

O1 - Hosts: 127.1 www.91semi.com

O1 - Hosts: 127.1 91semi.com

O1 - Hosts: 127.1 haobaidu.1122mb.com

O1 - Hosts: 127.1 xiao777.za.pl

O1 - Hosts: 127.1 ccavo6.avno6.com

O1 - Hosts: 127.1 a.sxlk99.com

O1 - Hosts: 127.1 www.91vva.cn

O1 - Hosts: 127.1 www.qq08w12.cn

O1 - Hosts: 127.1 www.21xx.info

O1 - Hosts: 127.1 php-1.cn

O1 - Hosts: 127.1 www.v232.com

O1 - Hosts: 127.1 php-2.cn

O1 - Hosts: 127.1 php-3.cn

O1 - Hosts: 127.1 php-4.cn

O1 - Hosts: 127.1 php-5.cn

O1 - Hosts: 127.1 php-6.cn

O1 - Hosts: 127.1 php-7.cn

O1 - Hosts: 127.1 php-8.cn

O1 - Hosts: 127.1 php-9.cn

O1 - Hosts: 127.1 php-10.cn

O1 - Hosts: 127.1 php-11.cn

O1 - Hosts: 127.1 k.5x2x.com

O1 - Hosts: 127.1 a.5x2x.com

O1 - Hosts: 127.1 202.108.23.205

O1 - Hosts: 127.1 60.190.218.21

O1 - Hosts: 127.1 121.14.154.195

O1 - Hosts: 127.1 218.30.82.201

O1 - Hosts: 127.1 59.34.198.48

O1 - Hosts: 127.1 121.14.154.216

O1 - Hosts: 127.1 219.152.120.237

O1 - Hosts: 127.1 121.14.154.184

O1 - Hosts: 127.1 125.67.67.201

O1 - Hosts: 127.1 222.168.102.12

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\Coloreal\coloreal.exe"

O4 - HKLM\..\Run: [VTPreset] VTPreset.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [storageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r

O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"

O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE

O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe

O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded

O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE

O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe

O4 - HKLM\..\Run: [DDCActiveMenu] "C:\Program Files\WildTangent\DDC\ActiveMenu\DDCActiveMenu.exe" -boot

O4 - HKLM\..\Run: [HBService32] System.exe

O4 - HKLM\..\Run: [HBService] explore.exe

O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - Startup: Adobe Media Player.lnk = C:\Program Files\Adobe Media Player\Adobe Media Player.exe

O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE

O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1219522215203

O20 - AppInit_DLLs: mduaey.dll

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--

End of file - 6929 bytes

task manager is still working, everythings running smoothly except the internet is a little slow on startup. That nt authority system message that shuts down the computer hasn't popped up in days

Share this post


Link to post
Share on other sites

Cmoney,

I need a fresh hijackthislog After you ran mbam and reboot. :angry:

Please

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.